The vulnerability is a PHP object injection flaw that allows an attacker to deserialize untrusted data in the Exertio theme for WordPress. This flaw can lead to the execution of arbitrary PHP code, giving the attacker full control over the affected web server. The CVSS score of 9.8 reflects the high severity of this remote code execution risk. The EPSS score of less than 1% indicates that, while exploitation is currently uncommon, the potential damage is catastrophic if improper input is supplied.

The Exertio WordPress theme (vendored by scriptsbundle) is vulnerable in all releases up to and including version 1.3.2. Any site that has installed this theme, regardless of WordPress version, is at risk until it is updated to a non‑vulnerable release.

Because the flaw permits arbitrary object creation through deserialization of attacker‑controlled input, an attacker who can influence the data sent to the theme can instantiate malicious objects and execute code. Successful exploitation would compromise the confidentiality, integrity, and availability of the host system. Although the EPSS score is low, the high CVSS demonstrates that the exploit could have severe consequences, especially on servers that run publicly accessible forms or upload interfaces. The vulnerability is not currently listed in the CISA KEV catalogue, but the lack of a public exploit does not mitigate the intrinsic risk presented by the flaw.