Impact
The vulnerability is an unauthenticated PHP Object Injection flaw that allows an attacker to manipulate object serialization during processing by the Hiroshi WordPress theme. Because the flaw is not restricted by authentication or input validation, an attacker who can target the thematic code context could forge objects that trigger code execution, potentially leading to arbitrary code execution on the affected WordPress install. The weakness is classified as CWE‑502, indicating an unserialization error that can be abused without user interaction. The impact is the compromise of the entire system hosting the WordPress site, as the injected code runs with the same privileges as the web server.
Affected Systems
WordPress users who installed the Hiroshi theme version 1.5.1 or earlier are affected. The theme is distributed by Select‑Themes under the product name Hiroshi. Users on any operating system or hosting environment that runs the vulnerable theme are at risk, regardless of other plugins or core WordPress version. The only mitigated version is 1.6 and later.
Risk and Exploitability
With a CVSS score of 8.1, the vulnerability is considered high impact. No EPSS score is available, but because the flaw is unauthenticated and relies on a common PHP un-serialization vulnerability, it is likely that exploits may appear in the wild or in the near future. The vulnerability is not listed in the CISA KEV catalog, yet the lack of a published EPSS value does not reduce the risk that an attacker could craft a payload that takes advantage of the theme’s lack of input validation. The most likely attack vector is a crafted URL or form submission that delivers malicious serialized data to the theme’s processing logic, exploiting the improper handling of object deserialization.
OpenCVE Enrichment