CVE-2026-57738
axiomthemes · 777
A deserialization of untrusted data vulnerability in the axiomthemes 777 WordPress theme allows for PHP object injection.
Executive summary
A critical PHP object injection vulnerability in the axiomthemes 777 theme allows unauthenticated attackers to achieve remote code execution.
Vulnerability
The theme is susceptible to CWE-502 (Deserialization of Untrusted Data), permitting an unauthenticated attacker to supply malicious input that results in arbitrary object injection. This facilitates potential code execution within the WordPress environment.
Business impact
The CVSS score of 9.8 reflects the high severity of this flaw, which allows for full site takeover and unauthorized access to sensitive application data. The ability for unauthenticated exploitation significantly increases the risk to the organization’s digital assets and reputation.
Remediation
Immediate Action: Update the 777 theme to the latest patched version. If an update is unavailable, ensure the theme is not active on the site until the vendor provides a fix.
Proactive Monitoring: Review security logs for unexpected file modifications or unauthorized administrative actions that could follow a successful injection attack.
Compensating Controls: Utilize a WAF to inspect incoming traffic and filter out requests containing malicious serialized PHP objects.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this vulnerability, immediate remediation is required to secure the environment. Organizations should prioritize updating the 777 theme and auditing their WordPress installations for any signs of unauthorized activity or persistence.