Impact
The vulnerability is a PHP Object Injection flaw present in EasyMeals theme versions 1.5.1 and earlier. The theme deserializes data that can be supplied by an unauthenticated user, a weakness characterized by CWE‑502. When an attacker supplies a crafted serialized object, the unserialize() call can instantiate arbitrary PHP objects, potentially allowing the attacker to execute code, modify server files, or otherwise compromise the application. The primary impact is the possibility of remote code execution, which can lead to complete compromise of the WordPress site, data theft, defacement, or the installation of malware. The vulnerability permits exploitation without the need for login credentials, relying only on the unfiltered input accepted by the theme.
Affected Systems
The affected product is the Mikado‑Themes EasyMeals WordPress theme. Versions 1.5.1 and all earlier releases are vulnerable. Administrators should review the theme version deployed on their sites and determine whether it matches the safe version 1.6 or higher.
Risk and Exploitability
The CVSS score of 8.1 places this flaw in the high‑severity range, indicating significant impact if exploited. EPSS availability is not provided, so the current likelihood of exploitation remains unknown, but the lack of KEV listing suggests no widespread exploitation reported yet. Nonetheless, because the attack requires no authentication and leverages a built‑in unserialize call, the practical exploitation window is large. Site owners should treat this as a high‑risk vulnerability and address it urgently, as the potential for remote code execution is well documented for similar injection flaws.
OpenCVE Enrichment