The Plumbing theme for WordPress contains an unauthenticated PHP Object Injection flaw in all releases up to and including version 1.6. Attackers can manipulate serialized data that the theme processes, enabling them to instantiate arbitrary PHP objects and execute malicious code on the host web server. This property escalates the vulnerability to full remote code execution, granting an attacker the same privileges as the web server user, potentially resulting in site takeover, data exfiltration, or further compromise of the environment.

The affected product is the ThemeREX Plumbing theme for WordPress, specifically all releases with version numbers equal to or lower than 1.6. Hosts using the theme in any WordPress installation—regardless of their other configurations—are potentially exposed unless the theme is upgraded or removed.

The CVSS score of 9.8 classifies the issue as Critical, and the EPSS score is currently unavailable, indicating insufficient data on exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been observed in widespread, observable attacks. Nevertheless, the flaw is unauthenticated and permits arbitrary code execution, making it an attractive target for attackers with even minimal resources. Attackers can exploit the vulnerability remotely via non-privileged HTTP requests to the vulnerable site, leveraging the theme’s object handling routines.