Impact
An unauthenticated PHP Object Injection flaw exists in the Roisin theme version 1.4 and earlier for WordPress. The vulnerability allows an attacker to craft input that is deserialized by the theme code, enabling the instantiation of arbitrary PHP objects. This flaw is a classic example of CWE‑502: Deserialization of Untrusted Data, and can potentially lead to remote code execution, data tampering, or system compromise if the attacker can control object properties and method calls.
Affected Systems
The affected product is the Roisin theme provided by Elated Themes. Versions 1.4 and all earlier releases are vulnerable. Users running any of these versions on a WordPress installation are at risk unless the theme is updated to 1.5 or newer.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests the probability of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, any user able to submit data that reaches the vulnerable code—likely through a public-facing form or URL parameter—could trigger the injection. Once the attacker injects a crafted payload, PHP object instantiation may execute arbitrary code on the host, giving complete control of the affected WordPress site.
OpenCVE Enrichment