Impact
An unauthenticated PHP Object Injection vulnerability exists in the Edge‑Themes Behold WordPress theme through version 1.5. By manipulating serialized PHP data, an attacker can cause the theme to instantiate objects without proper validation. This flaw enables the execution of arbitrary code on the web server, potentially compromising the confidentiality, integrity, and availability of the affected site.
Affected Systems
WordPress sites that use the Edge‑Themes Behold theme version 1.5 or earlier are affected. The vulnerability applies to all installations of this theme, regardless of the hosting environment. The exact cab allowed you update to a later release (1.6 or higher).
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code via the public web interface with no authentication required, making exploitation practically straightforward when the theme is in use.
OpenCVE Enrichment