Impact
A PHP Object Injection flaw in Themeton's Barber Shop WordPress theme occurs when the theme deserializes user‑supplied data. The flaw, identified as CWE‑502, allows an attacker to inject a crafted object into the unserialized stream, which can lead to execution of arbitrary code on the target web server if the object’s magic methods are invoked.
Affected Systems
All installations of the Barber Shop theme from its first release up through version 1.9 are affected. Any site running those versions of the theme is vulnerable, while versions 2.0 and later are considered safe according to the vendor’s advisories.
Risk and Exploitability
The CVSS score of 9.8 classifies this vulnerability as critical. The EPSS score is not available, which does not diminish the high base score but indicates that an up‑to‑date exploitation probability estimate is not yet published. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an attacker to submit crafted serialized data—such as via form inputs, theme options pages, or API endpoints—without needing additional authentication or host privileges.
OpenCVE Enrichment