WordPress EmallShop theme <= 2.4.21 - PHP Object Injection vulnerability

Vulnerability

The EmallShop WordPress theme, versions 2.4.21 and earlier, is vulnerable to unauthenticated PHP Object Injection. This occurs through an insecure unserialize() call on user-supplied input without proper validation or sanitization. No authentication or special configuration is required for the vulnerable code path to be reachable. Affected versions are EmallShop 2.4.21 and all prior releases [1].

Exploitation

An attacker with no prior authentication or network position can exploit this vulnerability by sending a crafted serialized PHP object to the affected endpoint. The exploit does not require user interaction. If a suitable POP (Property Oriented Programming) gadget chain exists in the WordPress core or installed plugins/themes, the deserialization of the malicious object leads to code execution [1].

Impact

Successful exploitation allows an unauthenticated attacker to achieve arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available POP chain. The attacker gains full control over the server at the level of the web application, potentially compromising the entire WordPress installation and its data [1].

Mitigation

The vendor has released a patched version 2.4.22 to fix the vulnerability. Users must update the EmallShop theme to version 2.4.22 or later immediately. For users unable to update, Patchstack provides a virtual mitigation rule that blocks attacks until the theme is updated [1].