WordPress Hot Coffee theme <= 1.7 - PHP Object Injection vulnerability

Vulnerability

The Hot Coffee WordPress theme versions up to and including 1.7 are vulnerable to unauthenticated PHP Object Injection. This occurs when the theme deserializes untrusted user-supplied input without proper validation, allowing an attacker to inject arbitrary PHP objects. The vulnerability is present in the theme's code and does not require any special configuration or authentication to be reachable [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the affected theme endpoint. No authentication or prior access is needed. The success of exploitation depends on the presence of a suitable POP (Property Oriented Programming) chain within the theme or any active plugins. If such a chain exists, the attacker can trigger arbitrary code execution [1].

Impact

Successful exploitation can lead to severe consequences, including remote code execution, SQL injection, path traversal, and denial of service. The attacker gains the ability to execute arbitrary PHP code on the server, potentially leading to full site compromise. The CVSS score for this vulnerability is 9.8, indicating critical severity [1].

Mitigation

The primary mitigation is to update the Hot Coffee theme to a version newer than 1.7. The official advisory recommends immediate updating. If updating is not possible, users should contact their hosting provider or a web developer for assistance. No workaround is provided, and the vulnerability is expected to be actively exploited in mass campaigns [1].