Impact
The vulnerability is an unauthenticated PHP Object Injection flaw that allows a remote attacker to insert malicious object instances into the application’s deserialization process. Because the flaw resides in the deserialization logic, a crafted payload can lead to arbitrary code execution on the server. The weakness aligns with CWE‑502, deserialization of untrusted data, which is a high‑severity vulnerability that can compromise confidentiality, integrity, and availability of the affected system.
Affected Systems
The Edge‑Themes Laurits WordPress theme, versions 1.5.1 and earlier, is affected. Any WordPress installation that has this theme installed and active potentially exposes the flaw, regardless of the WordPress core version. Users of the theme should verify that they are running a version newer than 1.5.1.
Risk and Exploitability
The CVSS score of 8.1 indicates a high likelihood of exploitation if permitted. The EPSS score of less than 1% suggests that, at present, this vulnerability is not widely exploited, but the presence of an unauthenticated vector removes the need for credentials. The vulnerability is not listed in CISA’s KEV catalog, but the potential for remote code execution warrants prompt action. An attacker can exploit the system by submitting a specially crafted request that triggers deserialization of an injected object, which can execute arbitrary code on the server.
OpenCVE Enrichment