Impact
The vulnerability is a PHP Object Injection flaw that allows an attacker to inject arbitrary PHP objects into the Mildhill WordPress theme without authentication. This flaw can enable attackers to execute arbitrary code on the affected site, compromising confidentiality, integrity, and availability of site data. The weakness aligns with CWEs that involve insecure deserialization, where malicious inputs can alter program flow and trigger unintended behavior.
Affected Systems
Select‑Themes figures the Mildhill theme as the affected product. Any WordPress site running the Mildhill theme version 1.5 or earlier is susceptible, regardless of the WordPress core version. The issue is present in all sub‑versions of Mildhill <= 1.5.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, though the EPSS score is currently not available. The vulnerability is listed as not being in the CISA KEV catalog. Because the flaw can be triggered without authentication, it can be exploited by any external user who can access the site’s front end or by sending crafted requests that the theme processes. Attackers can exploit the issue by leveraging untrusted input that the theme passes to PHP’s unserialize functionality, potentially resulting in remote code execution.
OpenCVE Enrichment