Themerex Addons
Monthly
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.