Impact
The vulnerability is a classic PHP Object Injection flaw in the Select‑Themes Manufaktur Solutions WordPress theme, version 1.1.1 and earlier. Because the theme does not properly sanitize or restrict the classes that can be deserialized, an attacker can craft a payload that instantiates arbitrary PHP objects. Executing such code can lead to arbitrary code execution on the web server, giving the attacker full control over the site.
Affected Systems
Any WordPress installation that has the Manufaktur Solutions theme (Select‑Themes) installed at a version older than 1.2 is affected. This includes sites using the default theme, gallery, or ecommerce components that rely on the theme's PHP scripts.
Risk and Exploitability
The vulnerability has a CVSS score of 8.1, indicating a high severity. The EPSS score is not available, and the flaw is not listed in CISA's KEV catalog. Because authentication is not required and the flaw depends on deserialization in a public theme file, an attacker can target the site via any HTTP request that triggers the vulnerable code. Exploitation is straightforward for an attacker familiar with PHP Object Injection, making the risk high for any exposed WordPress site using the affected theme.
OpenCVE Enrichment