Impact
The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data within the Themify Popup plugin. Attackers can inject crafted objects into the plugin’s deserialization routine, potentially enabling arbitrary code execution or other malicious actions on the affected WordPress site.
Affected Systems
The flaw affects the Themify Popup plugin for WordPress at versions 1.4.3 and earlier. Any site that has not upgraded beyond 1.4.3 is susceptible, regardless of the WordPress core version.
Risk and Exploitability
The Common Vulnerability Scoring System rate of 8.8 classifies this as a high‑severity issue. No EPSS data is published, and the vulnerability is not yet listed in CISA’s KEV catalog; however, the CVSS score and the nature of object injection suggest a high likelihood of exploitation, especially on sites that expose the plugin’s configuration UI to unauthenticated or low‑privileged users. The likely attack vector is remote, via the plugin’s HTTP endpoints that process serialized input.
OpenCVE Enrichment