Impact
The vulnerability is an unauthenticated PHP Object Injection that allows an attacker to instantiate malicious PHP objects when using the Alloggio – Hotel Booking theme in WordPress versions <= 2.1.2. This flaw is classified as CWE‑502 and, if exploited, could lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
Affected are installations of the WordPress Alloggio – Hotel Booking theme provided by Edge‑Themes, specifically all releases up to and including version 2.1.2. The vulnerability remains present in those and earlier minor releases of the theme and has been addressed in the 2.1.3 release.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score of fewer than 1 % suggests a currently low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can target the vulnerability remotely through the site’s web interface without needing prior authentication, making the risk high for exposed WordPress installations that still use the vulnerable theme. Formal monitoring or patching is recommended to mitigate the threat.
OpenCVE Enrichment