Impact
The Ashtanga theme for WordPress, versions 1.2 and earlier, contains an unauthenticated PHP Object Injection flaw. An attacker can supply a crafted serialized payload to the theme’s processing logic, triggering the unserialize function on untrusted data. This leads to potential remote code execution or other destructive actions, as the injected object can execute arbitrary PHP code. The weakness is catalogued as CWE‑502 (Deserialization of Untrusted Data).
Affected Systems
All WordPress sites that have deployed Mikado Themes’ Ashtanga theme version 1.2 or older are affected. Sites using version 1.3 or later are considered fixed.
Risk and Exploitability
The CVSS score is 8.1, indicating high severity. The EPSS score is less than 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, a remote attacker can trigger it over the network, potentially achieving full code execution on the web server or compromising site data. Exploitation requires sending a crafted serialized PHP object to the theme’s processing entry point, which is feasible with standard HTTP requests.
OpenCVE Enrichment