Impact
PressMart theme versions 1.2.26 and earlier contain an unauthenticated PHP Object Injection flaw. The vulnerability allows an attacker to inject a specially crafted serialized payload through the theme’s processing logic, which can result in the instantiation of arbitrary PHP objects. This leads to potential code execution, data tampering or disclosure, and compromise of the WordPress site’s confidentiality, integrity, and availability.
Affected Systems
The flaw affects only WordPress sites utilizing the PressLayouts:PressMart theme, versions 1.2.26 or earlier. Users who have not updated the theme are vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, and the lack of an EPSS score makes it unclear how frequently exploit attempts occur; the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is an unauthenticated web request that delivers a malicious serialized object to the theme’s entry point. Once executed, the attacker could gain arbitrary code execution on the server.
OpenCVE Enrichment