The Barber Shop
Monthly
Unauthenticated PHP object injection in the Themeton 'The Barber Shop' WordPress theme (versions up to and including 1.9) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.8, though no public exploit identified at time of analysis and EPSS data was not provided. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class historically abused for RCE in WordPress plugin/theme ecosystems.
Unauthenticated PHP object injection in the Themeton 'The Barber Shop' WordPress theme (versions up to and including 1.9) allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.8, though no public exploit identified at time of analysis and EPSS data was not provided. The vulnerability is rooted in CWE-502 (Deserialization of Untrusted Data), a class historically abused for RCE in WordPress plugin/theme ecosystems.