Impact
This vulnerability is an unauthenticated PHP Object Injection flaw that allows an attacker to exploit the way the Zoya theme processes serialized data. Because the flaw enables arbitrary object creation, an attacker could ultimately execute malicious code on the web server, compromising confidentiality, integrity, and availability of the affected WordPress site.
Affected Systems
The issue affects the Mikado-Themes Zoya theme versions up to and including 1.4. Users running any of these versions on their WordPress installations are at risk. Version 1.5 or later contains the necessary fix.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. No EPSS score is publicly available, and the vulnerability is not listed in CISA KEV, suggesting it may not yet be widely exploited in the wild. Nonetheless, because the flaw can be triggered by unauthenticated traffic, the potential for exploitation is high. Attackers could inject serialized objects via crafted requests to the theme, causing arbitrary code execution on the server.
OpenCVE Enrichment