The ModelTheme Addons for WPBakery and Elementor plug‑in contains a deserialization flaw that allows an attacker to inject arbitrary PHP objects into the application. The vulnerability is a classic case of insecure deserialization, CWE-502, and can lead to remote code execution or other malicious activity if an attacker is able to supply crafted data to the plugin. The flaw manifests through the plugin's handling of user‑supplied data, which is parsed using PHP's native unserialize function without validating or escaping the input.

The issue affects all WordPress sites that have the ModelTheme Addons for WPBakery and Elementor plugin installed with a version earlier than 1.5.6. The vendor responsible for the product is ModelTheme, and the affected releases are identified by the absence of a specific starting version (n/a) through any release below 1.5.6.

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the current landscape, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is likely remote, as any user or attacker who can interact with the plugin—through form submissions, REST API calls, or direct URL manipulation—could inject malicious objects. The lack of an official workaround means organizations should focus on timely patching and disabling the plugin if an upgrade is not possible.