Impact
An unauthenticated PHP Object Injection flaw exists in the Thrive Apprentice plugin for WordPress versions prior to 10.8.10.2. The vulnerability allows an attacker to supply malicious serialized data that the plugin deserializes, creating arbitrary PHP objects. This can lead to the execution of arbitrary code, potentially compromising the confidentiality, integrity and availability of the infected site. The flaw is classified as CWE‑502, which denotes deserialization of untrusted data.
Affected Systems
WordPress installations that have the Thrive Apprentice plugin installed with a version older than 10.8.10.2 are affected. The vulnerability applies to any site that loads the plugin, regardless of user role, because authentication is not required to trigger the deserialization logic.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity. Although an EPSS score is not publicly available, the lack of a CISA KEV listing does not reduce the risk; the vulnerability remains highly exploitable, especially in environments where the plugin is exposed to the public internet. Likely attack vectors involve unauthenticated HTTP requests that carry crafted serialized objects to the plugin’s deserialization endpoint, a scenario inferred from the description as the attack does not require credentials.
OpenCVE Enrichment