The vulnerability is a flaw in the Grand Restaurant WordPress theme that permits untrusted data deserialization, enabling an attacker to inject PHP objects into the application. This object injection can lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the site and potentially the underlying server. The flaw is categorized as CWE‑502, which is known for enabling remote code execution when an application accepts serialized data from outside sources.

The exposed product is the Grand Restaurant theme released by ThemeGoods. All releases from the initial version through and including version 7.0 are affected. The exact starting version is not listed, but any installation of the theme with a version number <= 7.0 is vulnerable.

The vulnerability carries a CVSS score of 9.8, classifying it as critical. The EPSS score is less than 1%, indicating a very low but nonzero probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack vector is remote; an attacker can craft a malicious request that includes serialized data processed by the theme, such as through a file upload, custom shortcode, or query parameter that the theme deserializes. Given the severity of the flaw and the potential for remote code execution, systems running the affected theme should treat the risk as high, even if actual exploitation probability is currently low.