ThemeMove Core Plugin up to version 1.4.2 contains an insecure deserialization flaw that allows untrusted data to be deserialized into PHP objects. This weakness, classified as CWE-502, can be exploited to inject arbitrary objects, leading to remote code execution on the affected WordPress site. The vulnerability permits an attacker to control or inject code that may run with the privileges of the WordPress installation, potentially compromising the entire website, its data, and any backend services.

WordPress sites that have the ThemeMove Core plugin installed with a version of 1.4.2 or earlier. The flaw exists in all releases of the plugin from the initial release up through 1.4.2.

The CVSS base score of 8.8 indicates a high severity that could allow a remote attacker to execute arbitrary code. However, the EPSS score is reported as less than 1%, implying that the probability of an actual widespread exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog, which means there are no known public exploits widely available. Likely attack vectors involve submitting crafted serialized PHP data to a vulnerable endpoint, such as a plugin form or custom UTF-8 payload, which is then inadvertently processed by the application. Successful exploitation would grant the attacker code execution rights on the WordPress host.