This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: PHP Object Injection via **Untrusted Data Deserialization**.β¦
π‘οΈ **Root Cause**: **CWE-502** (Deserialization of Untrusted Data). <br>π **Flaw**: The plugin fails to validate/sanitize data before passing it to PHP's `unserialize()`.β¦
π’ **Vendor**: Edge-Themes. <br>π¦ **Product**: WordPress Theme **Pelicula**. <br>π **Affected Versions**: **< 1.10**. If you are running 1.09 or lower, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: <br>1οΈβ£ **Execute Code**: Run arbitrary PHP commands on the server. <br>2οΈβ£ **Access Data**: Read sensitive files (wp-config.php, user DB).β¦
β‘ **Threshold**: **LOW**. <br>π **Auth**: None required (PR:N). <br>π±οΈ **UI**: None required (UI:N). <br>π **Network**: Remote (AV:N). <br>β **Difficulty**: Easy. No login or special config needed to trigger.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Public Exploit**: **No**. <br>π« **PoC**: Empty list in data. <br>β οΈ **Risk**: While no public PoC exists, the CVSS score (9.8) indicates high severity.β¦
π **Self-Check**: <br>1οΈβ£ Check WP Admin > Themes for **Pelicula** version. <br>2οΈβ£ Verify version is **< 1.10**. <br>3οΈβ£ Scan for `unserialize()` calls in `pelicula` theme files without input validation.β¦
π₯ **Urgency**: **CRITICAL (P1)**. <br>π **Priority**: Patch **IMMEDIATELY**. <br>π **CVSS**: 9.8 (Critical). <br>β³ **Time**: Zero-day risk is high due to low exploitation barrier. Do not wait for PoC.