Impact
The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in the EMV The Hospital WordPress theme. An attacker providing crafted serialized input can coerce the theme into creating arbitrary PHP objects, leading to execution of malicious code on the server. The weakness corresponds to CWE-502, which can compromise confidentiality, integrity, and availability of the affected website.
Affected Systems
EMV The Hospital theme for WordPress, version 1.8.1 or earlier, including all releases from the initial release through 1.8.1.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity. Although the EPSS score is not available, the high CVSS suggests that exploitation is likely if the vulnerability is discovered. The theme is not listed in the CISA KEV catalog, but the flaw could be targeted by attackers who control input that is deserialized, such as query strings, POST data, or WordPress metadata. The attack vector is inferred to be remote exploitation via crafted serialized data, potentially allowing full remote code execution on the hosted site.
OpenCVE Enrichment