Impact
The Elementra WordPress theme versions 1.0.9 and earlier expose an unauthenticated PHP Object Injection flaw that allows an attacker to manipulate serialized data and instantiate arbitrary PHP objects. This vulnerability, identified as CWE-502, gives the attacker the ability to execute arbitrary code on the host, potentially leading to full compromise of confidentiality, integrity, and availability of the website and its underlying infrastructure.
Affected Systems
ThemeREX Group’s Elementra WordPress theme, any installation running version 1.0.9 or earlier, is affected. The vulnerability applies to the theme regardless of other plugins or core WordPress versions, as it relies on the theme’s own unserialize implementation.
Risk and Exploitability
With a CVSS score of 9.8, the flaw is considered critical. The EPSS score of less than 1% indicates a low probability of immediate exploitation, and the vulnerability is not yet listed on the CISA KEV catalog. Nonetheless, the lack of authentication requirements means an attacker can craft a malicious request to any public site employing the vulnerable theme, enabling full remote code execution. The risk remains high until a patch is applied or the theme is removed.
OpenCVE Enrichment