Impact
Unauthenticated PHP Object Injection in WordPress Léonie theme versions 1.2.1 and earlier allows an attacker to inject malicious objects into PHP's unserialize function, potentially yielding arbitrary code execution. This weakness is defined by CWE-502 and can compromise confidentiality, integrity, and availability of the affected site.
Affected Systems
Elated‑Themes’ WordPress Léonie theme 1.2.1 and older on any WordPress installation are vulnerable. The recommended fix is to upgrade to version 1.3 or later.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity vulnerability, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is unauthenticated, meaning any visitor could trigger it; the lack of listing in CISA’s KEV catalog indicates it has not been documented as a known exploited vulnerability. Prompt patching is advised to mitigate the risk of remote code execution.
OpenCVE Enrichment