Impact
The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress TechLink theme versions 1.3 and earlier. By exploiting this weakness, an attacker can craft input that causes the vulnerable code to instantiate arbitrary PHP objects, potentially leading to the execution of arbitrary code or privilege escalation on the affected WordPress installation. The weakness maps to CWE-502 and the associated CVSS score of 8.1 indicates a high severity impact on confidentiality, integrity, and availability.
Affected Systems
The affected vendor is Mikado‑Themes with the TechLink theme. All releases up to and including version 1.3 are impacted. Affected installations must check the theme version and upgrade if necessary.
Risk and Exploitability
The exploit probability is very low as reflected by an EPSS score of less than 1%. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated web request that supplies a crafted payload to a vulnerable endpoint. Given the high CVSS score, if an attacker succeeds, they could gain complete control over the WordPress site.
OpenCVE Enrichment