Impact
WordPress Nifty Theme versions up to 1.4.1 allow an unauthenticated attacker to inject PHP objects. When malicious serialized data is processed by the theme’s PHP code, PHP’s unserialize function instantiates arbitrary objects, which can lead to remote code execution, data tampering or other severe compromise.
Affected Systems
The vulnerability affects BoldThemes’ Nifty WordPress theme, version 1.4.1 and earlier. The vendor has released a remediation in version 1.4.2 on or after the advisory publication.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical high‑risk flaw and the EPSS score of less than 1% shows a low current exploitation probability, but the issue is still not listed in CISA’s KEV catalog. Because the flaw is unauthenticated and relies on PHP deserialization, an attacker can trigger it via any HTTP request that reaches vulnerable code paths within the theme. The impact is full remote code execution on the affected site, potentially compromising the entire web application and underlying server.
OpenCVE Enrichment