WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability

Vulnerability

The SeaFood Company WordPress theme versions 1.4 and earlier are vulnerable to unauthenticated PHP Object Injection. The vulnerability exists in the theme's handling of user-supplied input that is deserialized without proper validation. No authentication or special configuration is required to reach the vulnerable code path. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the affected theme endpoint. No prior authentication or user interaction is needed. The attacker only requires network access to the target WordPress site. [1]

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, or denial of service if a suitable POP (Property Oriented Programming) chain is present in the environment. The CVSS score is 9.8, indicating critical severity. This vulnerability is expected to be used in mass-exploit campaigns. [1]

Mitigation

Users should update the SeaFood Company theme to the latest available version immediately. If no patched version is yet available, consider disabling the theme or implementing a web application firewall rule to block malicious serialized payloads. Contact your hosting provider for assistance if needed. [1]