Impact
The vulnerability is an unauthenticated PHP Object Injection flaw in ThemeREX Addons plugin versions up to 2.36.1.1. This weakness allows an attacker to create or manipulate PHP objects that are later unserialized, potentially enabling the attacker to execute arbitrary code or alter application behavior. The flaw is classified as CWE‑502, indicating a deserialization vulnerability that can lead to code execution and data tampering.
Affected Systems
The affected product is the WordPress ThemeREX Addons plugin from ThemeREX, with all releases at or below version 2.36.1.1. Users running those versions are impacted.
Risk and Exploitability
The CVSS score of 9.8 marks this vulnerability as critical, while the EPSS score is currently unavailable, suggesting no publicly documented exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Because the injection is unauthenticated, an attacker could exploit the flaw by accessing the plugin’s input fields or API endpoints from any user, making the attack vector straightforward and potentially automated. An attacker who succeeds could gain full control over the WordPress site.
OpenCVE Enrichment