Impact
This vulnerability is a PHP Object Injection flaw classified as CWE-502. An attacker can supply specially crafted input that is unserialized by the ShiftUp theme, allowing the creation of arbitrary PHP objects. Exploitation can lead to malicious code execution, compromising confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
The affected product is the Mikado‑Themes ShiftUp WordPress theme, specifically all releases up to and including version 1.3. Any site using these versions with the theme installed is vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The flaw is unauthenticated and can be triggered via exposed web interfaces, so attackers with internet access to the site can initiate exploitation without special privileges. The primary attack vector is therefore over the network, through the theme’s handling of user-supplied data.
OpenCVE Enrichment