Impact
An unauthenticated PHP Object Injection flaw is present in WordPress Konsept theme versions 1.9 and earlier. The weakness allows an attacker to send specially crafted serialized PHP data to the theme, causing PHP's deserialization to instantiate objects controlled by the attacker. This can lead to remote code execution or other destructive operations on the affected WordPress site. The flaw is classified as CWE‑502 and carries a CVSS score of 8.1, indicating a high level of severity.
Affected Systems
The vulnerability affects sites that use the Elated‑Themes:Konsept WordPress theme installed in version 1.9 or earlier. No further platform specifics are provided, and the issue is limited to the theme itself.
Risk and Exploitability
With a CVSS score of 8.1 and no EPSS data available, the risk is high and the vulnerability is not yet listed in CISA KEV. Attackers can exploit this flaw through publicly accessible HTTP requests to the WordPress installation, without requiring authentication. The absence of mitigations in older theme releases means adversaries can likely achieve high‑impact objectives once the flaw is verified.
OpenCVE Enrichment