Impact
The vulnerability is an unauthenticated PHP Object Injection flaw in any installation of the Select‑Themes Santé WordPress theme version 1.5.1 or earlier. By manipulating a serialized object that is passed to PHP’s unserialize function, an attacker can execute arbitrary PHP code on the server, leading to a compromise of confidentiality, integrity, and availability for the WordPress site and potentially the underlying web server. The weakness is identified as CWE‑502, improper deserialization of untrusted data.
Affected Systems
This issue affects WordPress sites that have the Santé theme 1.5.1 or older installed. The developer released an updated theme version 1.6 that removes the problematic deserialization logic. Sites that cannot immediately upgrade must avoid using the vulnerable theme, as it is the sole entry point for exploitation.
Risk and Exploitability
The CVSS score of 8.1 highlights the severity of this flaw, while the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation at the time of this analysis. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw by sending a crafted HTTP request containing a malicious serialized object to a network‑accessible WordPress instance that loads the vulnerable theme, causing the unserialize path to be executed. Based on the description, it is inferred that the attack vector is remote network‑based exploitation of PHP deserialization logic.
OpenCVE Enrichment