Impact
The vulnerability is a PHP Object Injection that does not require authentication. An attacker can send a specially crafted serialized payload to the SeaFood Company theme, causing the WordPress site to deserialize the data and instantiate arbitrary PHP objects. This can lead to remote code execution, data tampering, or escalation of privileges. The weakness is identified as CWE‑502.
Affected Systems
WordPress sites that use the SeaFood Company theme from ThemeREX with version 1.4 or earlier are affected. Any deployment that has not updated past these releases is at risk.
Risk and Exploitability
The CVSS score of 9.8 indicates a high severity of impact. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, but the absence from the CISA KEV catalog does not diminish the risk of a successful attack. The likely attack vector is an unauthenticated HTTP request that contains a malicious serialized payload, such as through a form or API endpoint that the theme processes without proper validation.
OpenCVE Enrichment