WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability

Vulnerability

The LuxeDrive WordPress theme versions up to and including 1.4 are vulnerable to unauthenticated PHP Object Injection. The vulnerability occurs when user-supplied input is passed to an unserialize() function without proper sanitization, allowing an attacker to inject arbitrary PHP objects. No authentication is required to exploit this flaw. Affected versions: all versions <= 1.4. [1]

Exploitation

An attacker with network access can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object. No user interaction or elevated privileges are needed. The attack does not require any specific configuration, as the vulnerable code is reachable by default in the theme. The exploitation is straightforward and is expected to be incorporated into mass-exploit campaigns. [1]

Impact

Successful exploitation can lead to arbitrary code execution if a suitable POP (Property Oriented Programming) chain exists in the installed plugins or theme. Additionally, it may enable SQL injection, path traversal, denial of service, or other attacks depending on the available POP gadgets. The impact is severe, as an attacker could gain full control over the affected WordPress site. [1]

Mitigation

The vulnerability is fixed in LuxeDrive version 1.5 and later. Users are strongly advised to update to version 1.5 or higher immediately. If an immediate update is not possible, applying a virtual patch or mitigation rule (e.g., from Patchstack) can block exploitation attempts. Due to the high risk of mass exploitation, this update should be treated as urgent. [1]