ThemeMakers Visual Content Composer PHP Object Injection Vulnerability

A deserialization vulnerability allowing object injection has been identified in the ThemeMakers Visual Content Composer plugin for WordPress, affecting versions through 1.5.8. This vulnerability could lead to PHP object injection, with potential consequences such as code execution, SQL injection, path traversal, or denial of service, depending on the presence of a suitable PHP object injection chain.

Impact

Exploitation of this vulnerability could allow a malicious actor to inject objects into the PHP application, potentially leading to arbitrary code execution, SQL injection, path traversal, or denial of service, if a proper PHP object injection chain is available.

Remediation

Users are advised to update to a version of the ThemeMakers Visual Content Composer plugin for WordPress that is later than 1.5.8. Patchstack has issued a virtual patch to block attacks targeting this vulnerability until an official fix is available.