Impact
Unauthenticated PHP Object Injection is present in NeoBeat theme versions 1.7 or earlier. The flaw arises from deserializing untrusted user input without proper validation, a classic CWE‑502. When exploited, arbitrary object data can be injected, potentially allowing an attacker to run arbitrary PHP code on the server. The description does not specify the exact outcome, but based on PHP Object Injection mechanics it is inferred that an attacker could gain complete control over the WordPress site and manipulate or steal site data.
Affected Systems
WordPress installations that employ the NeoBeat theme from Elated‑Themes at version 1.7 or below are affected. All newer releases, starting with 1.8, contain the fix. The theme is usually deployed as a child theme or through the WordPress theme repository.
Risk and Exploitability
CVSS score of 8.1 signals high severity. EPSS score below 1% indicates that the vulnerability has not yet been widely exploited in the wild. The flaw does not require authentication and appears to be reachable via the public web interface; this inference is drawn from the description of an unauthenticated PHP Object Injection. Although the vulnerability is not listed in the CISA KEV catalog, sites with the vulnerable theme remain at risk until they upgrade.
OpenCVE Enrichment