Deserialization of untrusted data in the Smart Sections Theme Builder - WPBakery Page Builder Addon allows an attacker to inject malicious PHP objects, potentially leading to remote code execution, data exfiltration, or other destructive actions. The vulnerability is classified as CWE‑502 and carries a CVSS score of 9.8, indicating a severe risk. The attack likely requires an attacker to supply crafted serialized payloads through a plugin-facing input such as a form field or an API endpoint; this inference is based on the nature of PHP object injection flaws.

All WordPress sites that have installed the themegusta Smart Sections Theme Builder - WPBakery Page Builder Addon plugin with a version up to and including 1.7.8 are affected. Any site using earlier releases, even those older than the first official release, is also vulnerable.

The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. However, the high CVSS score and the nature of the flaw mean that once an exploit becomes available, it could be very damaging. The attacker would need to inject the malicious serialized data into a location processed by the plugin, such as a custom post meta field or a plugin option. Once processed, the PHP object injection could be leveraged to execute arbitrary code or alter the site's data integrity.