Impact
The vulnerability is an unauthenticated PHP Object Injection in the WordPress Playroom Theme up to version 1 4 1. By crafting serialized PHP objects into a request that is processed by the theme, an attacker can manipulate the object's properties, leading to arbitrary PHP code execution on the server. This falls under CWE‑502, which addresses the improper handling of serialized data and can compromise confidentiality, integrity, and availability if exploited.
Affected Systems
The affected product is the Elated‑Themes Playroom theme for WordPress. Vulnerable configurations run any Playroom version <= 1.4.1. The official recommendation is to update the theme to version 1.5 or newer to eliminate the flaw.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, and the EPSS score of < 1 % shows a very low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. The flaw is unauthenticated, meaning an attacker can deliver a malicious serialized payload without needing prior access, potentially via a public web request. Exploitation does not require complex prerequisites, so while the likelihood is low, the impact is serious if an adversary initiates the attack.
OpenCVE Enrichment