A Deserialization of Untrusted Data flaw in the AncoraThemes Kids Planet WordPress theme permits PHP Object Injection. When the theme processes serialized input, an attacker can craft objects that, due to insufficient validation, trigger execution of arbitrary PHP code in the context of the WordPress site. This weakness is classified as CWE-502 and carries a CVSS score of 9.8, indicating a critical potential for compromising site integrity and confidentiality.

WordPress installations that use AncoraThemes Kids Planet version 2.2.14 or earlier are affected. The flaw exists in all releases from the first version through 2.2.14, regardless of other plugins or configurations.

The EPSS score is below 1%, suggesting that exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Because the issue relies on deserialization of untrusted data, the attack vector is likely remote – an attacker would need to supply malicious serialized content via a public interface that the theme accepts. Based on the description, it is inferred that such a transmission point could be a public form, an API endpoint, or any other user‑supplied input processed by the theme, but the CVE does not specify a concrete channel. The high CVSS score underscores the severe impact should exploitation succeed, but actual risk depends on the presence of a suitable deserialization entry point.