CVE-2023-46147: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2023-46147) was discovered in Themify Ultra WordPress theme, affecting versions through 7.3.5. The vulnerability was reported by Rafie Muhammad and publicly disclosed on October 17, 2023. This security issue impacts the popular theme which has over 70,000 active installations (Security Online).

The vulnerability is classified as a PHP Object Injection vulnerability that occurs when user-supplied input is not properly sanitized before being passed to the PHP unserialize function. The vulnerability has received a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) from NVD and 7.4 HIGH from Patchstack. The issue is tracked under CWE-502 (Deserialization of Untrusted Data) (NVD, Patchstack).

If a POP chain is present via an additional plugin or theme installed on the target system, this vulnerability could allow authenticated attackers with subscriber access and above to delete arbitrary files, retrieve sensitive data, or execute code on the affected system. The vulnerability could potentially lead to sensitive data leakage or remote code execution (WPScan).

Users are strongly advised to update to Themify Ultra version 7.3.6 or later, which contains the fix for this vulnerability. The update addresses the deserialization vulnerability and provides enhanced security measures (Security Online).