Impact
Unauthenticated PHP Object Injection in the WordPress Zermatt Theme allows an attacker to deserialize crafted data and create arbitrary PHP objects, which can lead to remote code execution, data leakage, or manipulation of site content. The weakness is documented as CWE‑502, indicating an unsafe handling of serialized data.
Affected Systems
The vulnerability affects all releases of the Select‑Themes Zermatt WordPress theme with a version number of 1.6.1 or older. Updating the theme to version 1.7 or later removes the flaw.
Risk and Exploitability
The CVSS score of 8.1 classifies this issue as high severity. Because the flaw is unauthenticated, an attacker may be able to deliver malicious serialized payloads through any endpoint that the theme processes. Based on the description, it is inferred that such an attack vector exists remotely, though the Exact EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which suggests the likelihood of exploitation depends largely on the presence of an accessible entry point.
OpenCVE Enrichment