Impact
Unauthenticated PHP Object Injection exists in the PressLayouts EmallShop theme through version 2.4.21. An attacker can send crafted serialized object data to the WordPress site, potentially causing the application to instantiate arbitrary PHP objects. Because this vulnerability is classified as CWE‑502, it is inferred that the flaw could be exploited to execute arbitrary code on the server, although the description does not explicitly confirm this outcome.
Affected Systems
The issue impacts installations of the PressLayouts EmallShop WordPress theme with versions up to and including 2.4.21. Users running any of these versions should verify the specific release installed and cross‑check it against the affected range.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1 % suggests the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The flaw is unauthenticated, meaning that any remote user capable of sending a crafted request to the site could attempt the injection. While the likelihood of exploitation remains low at present, the potential consequences of successful exploitation are significant.
OpenCVE Enrichment