WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability

Vulnerability

An unauthenticated PHP Object Injection vulnerability exists in the Elementra WordPress theme in versions 1.0.9 and earlier. The flaw stems from insecure deserialization of user-supplied input without proper validation or sanitization. This allows an attacker to inject arbitrary PHP objects if a suitable POP chain is present in the environment [1].

Exploitation

An attacker does not require authentication to exploit this vulnerability. The attack vector is network-based, and exploitation does not require any user interaction or high privileges. By sending a crafted request containing a malicious serialized PHP object to the vulnerable endpoint, the attacker can cause the application to deserialize the payload. The presence of a POP chain (gadget chains) in the plugin or installed dependencies can then lead to code execution [1].

Impact

Successful exploitation can lead to severe consequences, including arbitrary code execution, SQL injection, path traversal, and denial of service. The vulnerability has a CVSS score of 9.8 (Critical) and is considered highly dangerous, with the potential to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vulnerability is patched in Elementra version 1.1.0. Users are strongly advised to update immediately. If immediate updating is not possible, it is recommended to contact the hosting provider or web developer for assistance, or apply a virtual patch / mitigation rule that blocks malicious payloads. The vulnerability is expected to become actively exploited [1].