Impact
The Hot Coffee theme contains an unauthenticated PHP Object Injection vulnerability that allows attackers to craft malicious input and force the PHP engine to unserialize user-supplied data. This weakness, identified as CWE‑502, can be leveraged to execute arbitrary code on the web server, compromising the confidentiality, integrity, and availability of the site’s data and systems.
Affected Systems
Any WordPress installation using the ThemeREX Hot Coffee theme version 1.7 or earlier is vulnerable. No additional product or version details are provided beyond the theme’s major release number.
Risk and Exploitability
With a CVSS score of 9.8 the vulnerability is considered critical, and the EPSS score indicates that exploitation probability is presently low (<1%). The flaw is not listed in the CISA KEV catalog. Attackers can trigger the vulnerability by submitting crafted payloads without authentication, so anyone with web access could potentially execute code, but the likelihood of widespread exploitation at this time remains limited.
OpenCVE Enrichment