Impact
The vulnerability is a deserialization flaw in the Lagom WordPress theme, allowing an attacker to inject arbitrary PHP objects during unserialization. This can lead to remote code execution on the affected WordPress site, compromising the confidentiality, integrity, and availability of the site and any data it hosts. The flaw is assigned a CVSS score of 9.8, reflecting its high severity and potential impact.
Affected Systems
The Vulnerable product is Themeton Lagom theme for WordPress. All versions from the earliest release up through version 2.0 are affected; no exact starting release is specified. Any WordPress site using the Lagom theme at or below version 2.0 is potentially impacted.
Risk and Exploitability
A CVSS score of 9.8 indicates a critical vulnerability. EPSS scores are not available, so the public exploitation likelihood is unknown but the high severity suggests a strong incentive to exploit. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any input that the theme uses to deserialize user‑provided data, such as theme configuration fields or custom input endpoints – this inference is based on the nature of PHP object injection attacks.
OpenCVE Enrichment