Impact
The flaw is an unauthenticated PHP Object Injection (CWE‑502) in the Elated‑Themes Fidalgo theme up to version 1.2.2. The theme performs unsafe PHP unserialization on user input, enabling an attacker to craft a serialized object that is deserialized and executed by the server. This leads to full control of the affected WordPress site, allowing reading, modification, deletion of content, injection of malware, or lateral movement.
Affected Systems
WordPress sites that use the Elated‑Themes Fidalgo theme version 1.2.2 or earlier are affected. Any installation still running one of these versions falls within the risk envelope until the theme is upgraded.
Risk and Exploitability
The CVSS score of 8.1 signals significant impact and remote exploitation potential. The EPSS score is below 1 %, suggesting low current exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated request that sends crafted serialized data to the theme’s unserialize handling code.
OpenCVE Enrichment