Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable unserialize sink (AV:N/AC:L/PR:N/UI:N); worst-case gadget-driven RCE justifies C:H/I:H/A:H, though real impact depends on available POP chains.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through <= 5.7.8.
AnalysisAI
PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target site runs ThemeGoods Grand Photography at version 5.7.8 or earlier and that attacker-controlled input reaches the theme's unserialize() sink. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes a trivially reachable, unauthenticated, network-facing flaw with total system impact, which on paper is maximum priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker crafts a serialized PHP object payload and submits it to a Grand Photography endpoint that unserializes user input; when the payload is deserialized it triggers a POP gadget chain present on the site, leading to actions such as arbitrary file write or SQL injection and potentially full site takeover. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, this requires only a single crafted HTTP request with no authentication or user interaction. … |
| Remediation | No fixed version is stated in the available data (affected range is 'n/a through <= 5.7.8'), so no vendor-released patch is confirmed at time of analysis; monitor ThemeGoods and the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/grandphotography/vulnerability/wordpress-grand-photography-theme-5-7-8-php-object-injection-vulnerability) for a release above 5.7.8 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, conduct a complete inventory of WordPress installations to identify all instances of ThemeGoods Grand Photography theme version 5.7.8 or earlier and disable the theme immediately as a temporary mitigation measure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Grand Photography
View allSame weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43390