Impact
Unauthenticated PHP Object Injection is present in WordPress AI Lab theme versions below 5.4.2. This flaw allows an attacker to instantiate arbitrary objects through crafted input, which can trigger malicious code execution or manipulation of application state. The weakness is identified as CWE‑502 and can be leveraged to compromise the WordPress installation and the data it manages.
Affected Systems
The affected product is the WordPress AI Lab theme from jwsthemes. Versions lower than 5.4.2 are vulnerable; the patch is available starting at 5.4.2.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity, and while the EPSS data is absent, the lack of authentication requirements and the high score suggest a significant exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog, but its potential impact warrants immediate attention. Attackers can exploit the flaw through unauthenticated requests to the theme’s endpoints or by manipulating query parameters, making it broadly exploitable over the internet.
OpenCVE Enrichment