The vulnerability arises from the deserialization of untrusted data in the Amwerk theme. Because the theme blindly accepts serialized PHP objects, an attacker can inject malicious objects that, when deserialized, can trigger arbitrary code execution. This flaw is classified as CWE‑502 and can allow a remote attacker to gain complete control over the affected WordPress installation, including modifying files, stealing data, or installing malware.

The Amwerk theme from BoldThemes, versions up to and including 1.2.0, is affected. Any WordPress site that installs this theme—even if the theme is not currently activated—could be vulnerable if the theme’s code processes serialized data from user input or external sources. There is no additional version range listed, so all releases prior to 1.2.1 are implicitly vulnerable.

The CVSS score of 9.8 places the flaw in the critical range, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at this time, although no formal exploit has been documented. The flaw is not listed in CISA’s KEV catalog. To exploit the issue, an attacker would need to supply crafted serialized payloads to the theme’s processing routine, which typically occurs through theme‑related request handling or plugin integrations that accept serialized data. Because the vulnerability exists in the core theme code, there is no requirement for additional software or privileges beyond the ability to influence the serialized input.