Impact
Unauthenticated PHP Object Injection in WordPress Micdrop Theme versions 1.3.1 and earlier allows an attacker to inject malicious objects through serialized data. This vulnerability, classified as CWE-502, can lead to full remote code execution on the affected site, compromising confidentiality, integrity, and availability of the web application and potentially the underlying server environment.
Affected Systems
The vulnerability affects the Micdrop Theme published by Select‑Themes. All users running Micdrop versions 1.3.1 or older are impacted. The recommended fix is to upgrade to Micdrop 1.4 or later, which contains the necessary patch.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% shows a low likelihood of exploitation observed in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote exploitation via crafted serialized input from an unauthenticated user, which can be supplied through various WordPress interfaces that accept serialized data. If exploited, the attacker gains the privileges of the web server process and can execute arbitrary PHP code, delete or modify data, and pivot to other parts of the infrastructure.
OpenCVE Enrichment