Creatify
Monthly
PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.
PHP Object Injection in the EMV Creatify WordPress theme (versions up to and including 1.5) allows remote unauthenticated attackers to trigger insecure deserialization of attacker-supplied data, potentially leading to arbitrary code execution, file operations, or full site compromise depending on available gadget chains in the WordPress runtime. Patchstack catalogs this as a PHP Object Injection issue under CWE-502, and no public exploit was identified at time of analysis. EPSS data was not supplied, but the CVSS 9.8 rating reflects unauthenticated network-reachable impact.