Attack Vectors

The Pizza House – Restaurant / Cafe / Bistro WordPress theme (slug: pizzahouse) in versions up to and including 1.4.0 has a High-severity vulnerability (CVSS 8.1) that can be triggered remotely without authentication. In practical business terms, this means an attacker can attempt exploitation over the internet against a public-facing WordPress site—without needing a username or password.

The issue involves “deserialization of untrusted input,” which can allow an attacker to inject a PHP object into the application. While the vulnerable theme itself is not known to include the additional components needed to fully weaponize the attack (often referred to as a POP chain), many real-world WordPress environments include multiple plugins and themes—creating risk that another installed component could supply what’s needed to escalate impact.

Security Weakness

CVE-2026-28074 affects Pizza House <= 1.4.0 due to insecure handling of user-supplied data that is processed in a way that can create or manipulate internal objects. This is a classic class of weakness where a system trusts data it should treat as hostile, especially when that data can influence application behavior behind the scenes.

Wordfence notes there is no known “POP chain” in the vulnerable software. However, the business risk remains significant because the exploitability and impact can change depending on what else is installed on the site. In other words: even if the theme alone doesn’t immediately enable full compromise, the theme can become the entry point when combined with other components—something common in marketing-managed WordPress stacks.

Technical or Business Impacts

If exploitation becomes viable (for example, due to a POP chain present via another plugin or theme), potential outcomes can include deletion of arbitrary files, exposure of sensitive information, or execution of code on the server. For business owners and executives, this translates to risks like website defacement, downtime during peak campaign periods, loss of customer trust, and emergency recovery costs.

For marketing and revenue teams, site disruption can interrupt lead capture, online ordering/reservations, and analytics continuity—directly impacting pipeline and attribution. For compliance and finance stakeholders, sensitive data access can trigger breach reporting obligations, contractual penalties, and increased cyber insurance scrutiny.

Remediation is especially important because there is no known patch available at this time. Organizations should review their risk tolerance and consider mitigations, including uninstalling the affected theme and replacing it, and tightening exposure (e.g., minimizing unnecessary plugins/themes) while monitoring for suspicious activity.

Similar Attacks

Object injection and unsafe deserialization flaws have been used in real-world incidents and disclosures across the PHP ecosystem. Examples include:

Drupalgeddon2 (SA-CORE-2018-002) — a widely exploited remote attack chain that led to mass compromise of sites.

Drupal SA-CORE-2019-003 — another major Drupal core vulnerability associated with unsafe handling leading to severe outcomes.

Joomla Object Injection (CVE-2015-8562) — a notable case where object injection was leveraged to compromise websites.