The Togo theme for WordPress contains a PHP Object Injection flaw caused by deserializing data that can be supplied by an attacker. Based on the description, it is inferred that the flaw stems from improper handling of serialized data supplied by users. The vulnerability, classified as CWE‑502, allows an attacker to craft malicious serialized objects that, when processed by the theme, can lead to arbitrary code execution within the server’s PHP context A successful exploitation would compromise the confidentiality, integrity, and availability of the entire website.

The flaw exists in the Togo theme released by uxper for WordPress and applies to all versions before 1.0.4. Sites running any pre‑1.0.4 release of the theme are susceptible, regardless of the WordPress core version, and the issue is confined to the theme’s PHP code.

The CVSS score of 8.8 classifies the issue as High severity, while the EPSS score of less than 1% indicates a low probability of current exploitation. It is not yet listed in CISA’s KEV catalog, suggesting no active widespread attacks have been reported. Attackers would need to deliver crafted serialized input to the theme’s processing logic. The likely attack vector is the delivery of malicious serialized data through publicly accessible theme files or custom URLs, as inferred from the description. Because the flaw relies on untrusted data processing, a successful exploit can execute arbitrary code and compromise the entire web server.