Themes Vulnerabilities

Flatsome < 3.17.6 - Unauthenticated PHP Object Injection

Description

The theme is vulnerable to PHP Object Injection via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Themes

flatsome
Fixed in 3.17.6

References

CVE
CVE-2023-40555
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfc4863a-1b8c-4b13-9df1-18f221b40b26

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
622c3d99-b42d-4f34-8c8b-868903bf679d

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2026-04-21 (about 23 days ago)

Other

Published
Title
Published
2025-08-23
Title
PDF for Contact Form 7 < 6.5.1 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-10-14
Title
Recently <= 1.1 - Unauthenticated PHP Object Injection
Published
2024-02-09
Title
Brooklyn <= 4.9.7.6 - PHP Object Injection
Published
2025-06-10
Title
Photography <= 7.5.2 - Unauthenticated PHP Object Injection
Published
2022-10-05
Title
LearnPress < 4.1.7.2 - Unauthenticated PHP Object Injection via REST API