The vulnerability is an instance of insecure deserialization (CWE-502) in the Grand Restaurant WordPress theme. Untrusted serialized data can be supplied to the theme, allowing an attacker to instantiate arbitrary objects and execute code, which leads directly to remote code execution. This flaw enables an attacker to tamper with integrity and confidentiality of the site, potentially taking full control over the affected WordPress installation. The description does not specify any special authorization requirements, implying that the attack may be carried out via standard web requests that reach the theme’s processing endpoints. The inference that the attack vector is remote via web requests is drawn from the lack of explicit authorization in the description.

The affected system is the WordPress Grand Restaurant theme, produced by ThemeGoods. Versions from the first release through 7.0.10 are susceptible. The problem resides in the theme’s handling of serialized data rather than in WordPress core or other plugins.

With a CVSS score of 9.8 the vulnerability is considered critical. The EPSS score is less than 1%, reflecting a low probability of exploitation at the time of analysis, yet the lack of known exploitation (not listed in KEV) does not diminish the severity. The likely attack vector is remote via the WordPress web interface wherever the theme accepts serialized input; no additional authentication or privilege escalation steps are documented, suggesting that any authenticated user or possibly even unauthenticated users could be leveraged depending on how the theme processes incoming data. This inference is based solely on the absence of explicit authorization in the description.