WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability

Vulnerability

The Esmée WordPress theme versions up to and including 1.4 contain an unauthenticated PHP Object Injection vulnerability. The flaw arises from deserialization of untrusted input without proper sanitization, allowing an attacker to inject arbitrary PHP objects. This affects all installations running Esmée 1.4 and earlier [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the vulnerable endpoint. No authentication or prior access is required. The attacker must craft a payload that, upon deserialization, triggers a POP (Property-Oriented Programming) chain to achieve code execution [1].

Impact

Successful exploitation can lead to remote code execution, SQL injection, path traversal, and denial of service, depending on available POP chains. An attacker can gain full control over the affected WordPress site, including data exfiltration, site defacement, or using the server for further attacks [1].

Mitigation

The vulnerability is fixed in version 1.5 of the Esmée theme. Users must update to 1.5 or later immediately [1]. For those unable to update, Patchstack provides a virtual mitigation rule to block attacks until the theme is updated [1]. No other workarounds are documented.