A critical PHP Object Injection vulnerability in the Blocksy WordPress theme allows for unauthenticated remote code execution, posing a severe risk to site integrity.

The theme fails to properly sanitize input in the 'blocksy_meta' REST API field and during V200 database migrations. This allows an unauthenticated attacker to inject malicious PHP objects, leading to arbitrary remote code execution on the underlying server.

With a CVSS score of 8.8, this flaw allows full site takeover. An attacker could gain complete control over the WordPress instance, resulting in data theft, site defacement, or the installation of persistent backdoors to facilitate further attacks on the hosting environment.

Immediate Action: Update the Blocksy theme to the latest patched version immediately.

Proactive Monitoring: Review WordPress access logs for suspicious REST API requests and check the filesystem for unauthorized file modifications.

Compensating Controls: Utilize a Web Application Firewall (WAF) to block malicious requests targeting the WordPress REST API and PHP object injection patterns.

Public Exploit Available: false

Remote code execution vulnerabilities in widely used themes are frequently targeted by automated scanners. Administrators must verify their theme version and apply updates immediately. If an update is unavailable, disabling the affected theme or functionality is recommended until a patch is deployed.