Impact
The vulnerability is a PHP object injection flaw present in versions of the Avada theme up to 3.15.3. Untrusted input can be used to craft a serialized object that, when deserialized by the theme’s code, can lead to arbitrary code execution. The weakness is classified as CWE‑502, allowing an attacker to compromise the confidentiality, integrity, and availability of the entire WordPress installation if exploited.
Affected Systems
WordPress sites that use the ThemeFusion Avada theme version 3.15.3 or earlier are affected. This includes all installations whose theme version string shows 3.15.3 or any lower patchlevel.
Risk and Exploitability
The CVSS base score is 8.8, indicating high severity. The EPSS score of less than 1% suggests a low exploitation probability at present, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the exploitation path requires an attacker to supply malicious serialized data to the theme, most likely via an HTTP request to a WordPress endpoint that processes the theme’s configuration. If such a vector exists, an attacker could gain remote code execution with the privileges of the web server user.
OpenCVE Enrichment