Grand Photography
Monthly
PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.
PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-Site Request Forgery (CSRF) in ThemeGoods Grand Photography WordPress theme versions up to 5.7.8 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) but carries low real-world exploitation risk, with an EPSS score of 0.01% indicating minimal practical likelihood of attack despite the moderate CVSS 5.4 rating.