What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
Explanation of Vulnerability in Simple Terms
ThemeMove Core versions up to 1.4.2 contain a deserialization vulnerability that allows authenticated attackers to execute arbitrary code on the site. The vulnerability exists in how the product processes untrusted serialized data without proper validation. An attacker with low-level site access can exploit this to gain full control over the site's functionality and data.
What an attacker can do
Run their own code on the site with full access to read, modify, and delete data.
Potential impact on your site
Complete site compromise possible; attacker can steal data, modify content, or take the site offline.
Conditions required to exploit
Attacker must have a low-level authenticated account on the site; no user interaction required.
Key dates
External resources