Hot Coffee
Monthly
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.