The VEDA - MultiPurpose WordPress Theme suffers from a PHP Object Injection vulnerability due to deserialization of untrusted data in the 'veda_backup_and_restore_action' function. This allows authenticated users with at least Subscriber privileges to inject PHP objects. The vulnerability itself does not lead to direct compromise unless another plugin or theme installed on the WordPress site contains a POP (Property Oriented Programming) chain that can be leveraged. When such a POP chain is present, attackers may perform critical actions including arbitrary file deletion, sensitive data disclosure, or code execution. The CVSS 3.1 base score is 9.8, reflecting the high potential impact if combined with a suitable POP chain. No patch or official fix information is provided in the data.

The vulnerability enables authenticated attackers with Subscriber-level access or higher to inject PHP objects via deserialization. Direct impact is conditional on the presence of a POP chain in other installed plugins or themes. If such a chain exists, attackers could delete arbitrary files, retrieve sensitive information, or execute arbitrary code, leading to full site compromise. Without a POP chain, the vulnerability does not result in exploitation.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, site administrators should consider restricting plugin/theme installations to trusted sources and review installed plugins/themes for known POP chains that could be exploited. Monitoring for updates from designthemes and applying patches promptly when released is recommended.