WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability

Vulnerability

An unauthenticated PHP Object Injection vulnerability exists in the WordPress Behold theme version 1.5 and earlier [1]. The vulnerability resides in a code path that deserializes user-supplied input without proper sanitization or authentication checks, enabling injection of arbitrary PHP objects if a suitable POP (Property Oriented Programming) chain exists in the application or its dependencies [1].

Exploitation

An attacker with no prior authentication or privileged access can exploit this vulnerability by sending a crafted malicious serialized object to an unpatched Behold theme installation [1]. The vector is network-accessible, and no user interaction is required. The attack is automated and known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available POP chain in the runtime environment [1]. The attacker gains at least the privilege level of the web server process, potentially leading to full site compromise [1].

Mitigation

Update to version 1.6 or later of the Behold theme to resolve the vulnerability [1]. If immediate update is not possible, contact your hosting provider or web developer for assistance, and consider implementing a WAF rule to block attacks until the update is applied [1]. No other workarounds are disclosed in the available references.