Impact
An unauthenticated PHP Object Injection flaw exists in the Edge-Themes Valeska WordPress theme (versions up to 1.2.2). The flaw allows an attacker to supply malicious serialized data that is unserialized by the theme, potentially leading to the instantiation of unexpected objects and the execution of arbitrary PHP code. This could compromise the confidentiality, integrity, and availability of the affected WordPress site, possibly giving the attacker remote control over the server.
Affected Systems
The vulnerability impacts the Edge‑Themes Valeska WordPress theme versions 1.0 through 1.2.2. Users running these versions must consider updating to the patched release or applying a workaround to mitigate the risk.
Risk and Exploitability
The CVSS base score of 8.1 indicates high severity. However, the EPSS score of less than 1 % suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is unauthenticated, implying that an attacker can trigger the flaw via any web request that reaches the vulnerable code. Successful exploitation requires that the attacker be able to inject serialized data into a parameter that the theme unserializes without proper validation.
OpenCVE Enrichment