Impact
The vulnerability is an unauthenticated PHP Object Injection flaw present in Eldon theme versions up to 1.4.1. This weakness allows an attacker to craft a malicious serialized PHP object that is processed by the theme without proper validation, potentially leading to arbitrary code execution, data tampering, or other destructive actions. The flaw is classified as CWE‑502, indicating insecure deserialization.
Affected Systems
The affected product is the WordPress Eldon theme supplied by Edge‑Themes. All releases up to and including version 1.4.1 are vulnerable. Versions 1.5 and later contain the fix and are not affected.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, and the current EPSS score is unavailable, suggesting no publicly known exploitation data yet, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an unauthenticated web request where the attacker supplies a serialized PHP payload, which the theme processes without validation. Successful exploitation would provide the attacker with unrestricted control over the WordPress site, enabling remote code execution and full compromise of site data and services.
OpenCVE Enrichment