WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability

Vulnerability

The Léonie WordPress theme versions up to and including 1.2.1 are vulnerable to unauthenticated PHP object injection. The vulnerability arises from unsafe deserialization of user-supplied input, allowing an attacker to inject arbitrary PHP objects without authentication. This affects all installations running Léonie 1.2.1 or earlier [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to a vulnerable endpoint. No authentication or user interaction is required. If a suitable POP (Property Oriented Programming) chain exists—commonly present in WordPress core or other plugins/themes—the attacker can achieve arbitrary code execution [1].

Impact

Successful exploitation can lead to complete compromise of the WordPress site. Potential outcomes include remote code execution, SQL injection, path traversal, denial of service, and other severe impacts. The attack is unauthenticated and can be automated, making it highly dangerous and likely to be used in mass-exploit campaigns [1].

Mitigation

Update the Léonie theme to version 1.3 or later, which contains the fix. If immediate updating is not possible, Patchstack offers a mitigation rule to block attacks until the update is applied. This vulnerability is expected to be actively exploited, so prompt action is recommended [1].