Impact
The Esmée WordPress theme versions 1.4 and earlier contain an unauthenticated PHP Object Injection flaw that can allow an attacker to craft malicious object serialization data. This weakness is a classic instance of CWE-502 and, if exploited, can lead to arbitrary code execution or compromise of the web application, potentially exposing sensitive data or allowing full control of the WordPress site.
Affected Systems
The vulnerability affects Mikado-Themes' Esmée theme installed in WordPress environments running version 1.4 or any earlier release. No other products are listed as impacted.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The flaw is not currently listed in the CISA KEV catalog, and no public exploit has been reported. Attackers likely target the site via unauthenticated web requests that trigger the object injection mechanism, which could result in code execution if the environment processes the injected objects without proper validation.
OpenCVE Enrichment