Skip to main content

Slimstat Analytics CVE-2026-27410

| EUVD-2026-37670 MEDIUM
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
Deserialization Slimstat Analytics
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated deserialization (AV:N/PR:N); AC:H reflects gadget-chain dependency; S:C and L/L/L impact consistent with PHP object injection without confirmed RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 13:01 EUVD
Analysis Generated
Jun 17, 2026 - 12:54 vuln.today

DescriptionCVE.org

Unauthenticated Deserialization of untrusted data in Slimstat Analytics < 5.4.0 versions.

AnalysisAI

Unauthenticated deserialization of untrusted data in the Slimstat Analytics WordPress plugin (versions prior to 5.4.0) allows remote attackers to exploit PHP object injection without authentication. The CVSS vector indicates high attack complexity (AC:H) and scope change (S:C), meaning successful exploitation can affect components beyond the plugin itself - potentially the broader WordPress environment or server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted HTTP request to plugin endpoint
Delivery
Deliver serialized PHP object payload
Exploit
Trigger unserialize() on untrusted input
Execution
Invoke PHP magic method gadget chain
Impact
Execute attacker-controlled code in WordPress context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable endpoint in Slimstat Analytics must be reachable over the network and must accept user-supplied input that is passed to a PHP deserialization function without sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L presents a nuanced risk picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker sends a crafted HTTP request to a WordPress site running Slimstat Analytics below 5.4.0, embedding a malicious serialized PHP object in a parameter processed by the plugin. If a viable gadget chain exists among the PHP classes loaded by WordPress or co-installed plugins, the deserialized object triggers magic methods that execute attacker-controlled logic - potentially writing files, exfiltrating data, or escalating to full site compromise. …
Remediation Vendor-released patch: 5.4.0. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54818 HIGH
8.5 Jun 17

Blind SQL injection in VeronaLabs Slimstat Analytics WordPress plugin through version 5.4.11 allows authenticated low-pr

Share

CVE-2026-27410 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy