WordPress Santé theme <= 1.5.1 - PHP Object Injection vulnerability

Vulnerability

The WordPress Santé theme versions 1.5.1 and earlier contain an unauthenticated PHP Object Injection vulnerability [1]. The flaw exists due to unsafe deserialization of user-supplied input without proper sanitization or validation, enabling an attacker to inject arbitrary PHP objects. Affected versions are all releases up to and including 1.5.1.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted request containing a malicious serialized PHP object [1]. No special network position or user interaction is required; the vulnerability is reachable through standard HTTP requests to the theme's processing functions.

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, and other severe consequences if a suitable POP (Property-Oriented Programming) chain is available [1]. The attacker gains full control over the affected WordPress site, potentially compromising data, integrity, and availability.

Mitigation

The vulnerability is fixed in version 1.6 of the Santé theme [1]. Users are strongly advised to update immediately. If updating is not possible, Patchstack provides a mitigation rule to block attacks until the update can be applied [1]. The vulnerability is considered high risk and is expected to be actively exploited in mass campaigns [1].