The vulnerability is a deserialization flaw that permits object injection when the Insurance theme processes untrusted data. An attacker who can supply crafted serialized payloads can cause the theme to instantiate arbitrary objects, potentially executing arbitrary code within the context of the web application. This flaw aligns with CWE-502, a critical weakness in handling serialized data, and can lead to remote code execution, causing complete compromise of the affected site.

The issue affects the WordPress Insurance theme from earlier releases up to and including version 3.5, distributed by designthemes. WordPress sites that have installed any version of the theme in this range are vulnerable. No precise sub‑versions are listed, so all releases up to 3.5 are considered at risk.

The CVSS score of 8.8 signals a high impact; the EPSS score of <1% indicates a low current exploitation likelihood, but the flaw remains dangerous once a public exploit becomes available. The vulnerability is not present in the CISA KEV catalog, yet the risk of remote code execution makes it a priority for patching. The likely attack path involves sending a crafted serialized object via an HTTP request that the theme deserializes; authentication or specific WordPress hooks may be required, but such details are not disclosed. Given the severity, the threat can propagate to all users of the affected theme.