The vulnerability is a deserialization of untrusted data flaw that enables PHP Object Injection within the ThemeREX Extreme Store WordPress theme. An attacker can craft malicious serialized objects that, when processed by the theme, result in arbitrary code execution on the web server. This type of weakness can compromise the confidentiality, integrity, and availability of the affected website, allowing attackers to read, modify, or delete site data and potentially gain full control over the server.

WordPress sites that have the ThemeREX Extreme Store theme installed and running up to version 1.5.10 are affected. All deployments of this theme, regardless of other configuration or plugins, are potentially vulnerable until the theme is updated beyond the stated maximum affected release.

The CVSS score of 9.8 classifies the flaw as critical. The EPSS score of less than 1% indicates a very low but non-zero probability of exploitation, and the vulnerability is not yet listed in the CISA KEV catalog. While the official description does not specify required permissions, the nature of a PHP object injection suggests that a remote attacker can trigger the flaw via crafted input without prior authentication. Exploitation likely requires that the theme's unserialize functionality is invoked on data supplied by an attacker, such as through a form, query parameter, or cookie. Once triggered, the attacker can execute arbitrary PHP code, leading to full compromise of the affected WordPress installation.