CVE-2026-57770

ThemeGoods · Grand Photography

ThemeGoods Grand Photography is vulnerable to PHP Object Injection due to improper deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code.

Executive summary

A critical deserialization vulnerability in the ThemeGoods Grand Photography theme allows unauthenticated attackers to achieve remote code execution, posing a severe risk to site integrity.

Vulnerability

This is a Deserialization of Untrusted Data (CWE-502) vulnerability. The application fails to properly validate serialized input, enabling unauthenticated remote attackers to inject malicious PHP objects into the environment.

Business impact

Successful exploitation of this vulnerability allows for full system compromise, including the execution of arbitrary commands, unauthorized data modification, and potential exfiltration of sensitive site information. With a CVSS score of 9.8, this vulnerability is classified as critical, as it requires no user interaction or authentication to trigger, representing an immediate threat to business continuity and data security.

Remediation

Immediate Action: Review vendor documentation for the latest release and update the Grand Photography theme to a version beyond 5.7.8 immediately.

Proactive Monitoring: Monitor server access logs for suspicious serialized string patterns or unusual POST requests targeting theme-specific endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common PHP object injection payloads and unauthorized attempts to interact with theme settings.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical severity and the lack of authentication required for exploitation, administrators should treat this as a high-priority incident. Apply the necessary vendor updates as soon as they become available to prevent potential exploitation.