Impact
This vulnerability is an unauthenticated PHP Object Injection flaw in the Alukas WordPress theme. Attackers can supply crafted input that is deserialized by the theme, allowing the creation of arbitrary PHP objects. This can lead to the execution of malicious code, compromising the confidentiality, integrity, and availability of the affected WordPress installation. The CVSS score of 8.1 reflects the severity of this remote code execution risk.
Affected Systems
The flaw affects installations of the PressLayouts Alukas theme for WordPress running any version prior to 3.0.0. Any site that has not yet applied the theme update is potentially vulnerable and should be evaluated for usage of the theme.
Risk and Exploitability
The vulnerability does not require authentication and can be triggered by a user-supplied request that reaches the theme’s serialization logic. While there is no EPSS information available, the high CVSS rating indicates a significant threat. The theme has not been listed in the CISA KEV catalog, but the lack of a mitigation in the active security community adds urgency to applying the vendor‑provided fix. An attacker can exploit the flaw remotely by sending malicious input to the theme’s deserialization endpoint, potentially executing arbitrary PHP code on the server.
OpenCVE Enrichment