WordPress HotStar Multi-Purpose Business Theme PHP Object Injection Vulnerability

A PHP object injection vulnerability allowing deserialization of untrusted data has been identified in the WordPress HotStar – Multi-Purpose Business Theme, affecting versions through 1.4. This vulnerability could lead to various injection attacks, including code injection, SQL injection, and path traversal, among other issues, if a suitable property-oriented programming chain is exploited.

Impact

Exploitation of this vulnerability could allow for PHP object injection, which generally could be leveraged to execute code injection, SQL injection, path traversal, denial-of-service attacks, and more, depending on the presence of a proper property-oriented programming chain.

Remediation

Users of the WordPress HotStar – Multi-Purpose Business Theme are advised to update to version 1.4 or later. For those unable to update immediately, Patchstack offers a virtual patch that can be applied to mitigate this vulnerability.