WordPress Roisin theme <= 1.4 - PHP Object Injection vulnerability

Vulnerability

The Roisin WordPress theme versions up to and including 1.4 are vulnerable to unauthenticated PHP Object Injection. This occurs due to unsafe deserialization of user-supplied input, allowing an attacker to inject arbitrary PHP objects. No authentication is required to exploit this vulnerability. [1]

Exploitation

An unauthenticated attacker can send a crafted HTTP request containing a malicious serialized PHP object. The vulnerability is triggered when the theme unserializes this input. No user interaction or special privileges are needed. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of websites. [1]

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, or other severe outcomes, depending on available POP (Property Oriented Programming) chains. The CVSS score is 8.1, indicating high severity. Due to the ease of exploitation and potential for mass exploitation, this vulnerability is considered highly dangerous. [1]

Mitigation

The vendor has released version 1.5, which fixes the vulnerability. Users are strongly advised to update to version 1.5 or later immediately. Patchstack has also issued a mitigation rule to block attacks until the update is applied. No other workarounds are mentioned in the available references. [1]