An authenticated PHP Object Injection vulnerability in the Entrepreneur Booking theme allows subscribers to achieve remote code execution.

The theme fails to properly sanitize user-supplied input before passing it to PHP deserialization functions. This flaw allows a "Subscriber" level user—the lowest level of WordPress authentication—to inject malicious objects, leading to potential remote code execution on the server.

With a CVSS score of 8.8, this vulnerability poses a severe risk to the entire WordPress environment. An attacker with minimal access can escalate their privileges, exfiltrate sensitive booking data, or gain full control over the web server hosting the site.

Immediate Action: Update the "Entrepreneur - Booking for Small Businesses" theme to the latest patched version immediately.

Proactive Monitoring: Review WordPress access logs for anomalous POST requests and scan for newly created or modified files in the web root.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block common PHP object injection patterns.

Public Exploit Available: false

Due to the ease with which a subscriber-level account can trigger this vulnerability, it is imperative to update the theme immediately. If a patch is unavailable, the theme should be disabled until a secure version is released.