Impact
Unauthenticated PHP Object Injection in the LuxeDrive theme up to version 1.4 enables attackers to insert crafted serialized data that becomes parsed by the theme, potentially allowing arbitrary code execution or other malicious actions that compromise the WordPress installation’s confidentiality, integrity, or availability. The weakness corresponds to CWE‑502, indicating deserialization of untrusted data without adequate validation.
Affected Systems
Mikado‑Themes’ WordPress LuxeDrive theme versions 1.4 and earlier. Any WordPress site that has not upgraded beyond version 1.4 is susceptible.
Risk and Exploitability
With a CVSS score of 8.1 the vulnerability is rated high severity. The EPSS score is below 1 %, suggesting that, while the technical risk is significant, the probability that attackers will exploit this flaw in the wild is low at present. The issue is not listed in CISA’s KEV catalog. Because the attack does not require authentication, the likely attack vector is an unauthenticated HTTP request carrying a maliciously crafted serialized payload, which the theme processes during routine operations.
OpenCVE Enrichment