Impact
The vulnerability is a deserialization of untrusted data (CWE-502) that allows an attacker to inject malicious PHP objects. When the Creatify theme processes user‑supplied data, the serialized payload is deserialized without validation, giving the attacker the ability to execute arbitrary code on the web server. This flaw can compromise the confidentiality, integrity, and availability of the site and any connected services.
Affected Systems
The Creatify WordPress theme, supplied by EMV, is affected from the earliest released version through 1.5. Every site running any legacy version of the theme prior to the release of a newer fixed version is vulnerable.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical level of risk and suggests that successful exploitation would provide complete control over the affected server. While the EPSS score is not available, the absence of a KEV listing does not lessen the danger. Based on the description, it is inferred that the flaw could be triggered by an unauthenticated or authenticated user with access to a page that accepts serialized input, suggesting a straightforward HTTP‑based attack vector.
OpenCVE Enrichment