WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability

Vulnerability

The Valeska WordPress theme versions up to and including 1.2.2 are vulnerable to unauthenticated PHP Object Injection. The vulnerability exists in the theme's handling of user-supplied input that is passed to unserialize() without proper sanitization, allowing an attacker to inject arbitrary PHP objects. No authentication is required to trigger the vulnerability. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious serialized PHP object to the vulnerable endpoint. No prior authentication or user interaction is needed. The attacker must have network access to the target WordPress site. The exploitation is straightforward and can be automated, making it suitable for mass exploitation campaigns. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code if a suitable POP (Property Oriented Programming) chain is present in the WordPress core or installed plugins/themes. This can lead to complete site compromise, including data theft, SQL injection, path traversal, denial of service, and other malicious actions. The vulnerability is rated with a CVSS score of 8.1 (High) and is expected to be actively exploited. [1]

Mitigation

The vulnerability is fixed in version 1.3 of the Valeska theme. Users are strongly advised to update to 1.3 or later immediately. If unable to update, users can apply a mitigation rule from Patchstack to block attacks until the update is applied. No other workarounds are mentioned in the available references. [1]