What is the CVSS score of CVE-2026-27429?

CVE-2026-27429 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of Nifty WordPress Theme are affected by CVE-2026-27429?

A critical remote code execution vulnerability in BoldThemes Nifty WordPress theme (versions 1.4.1 and earlier) can be exploited by unauthenticated attackers to achieve full system compromise through…

How to fix or mitigate CVE-2026-27429?

Within 24 hours: Identify all WordPress instances using BoldThemes Nifty v1.4.1 or earlier; immediately disable and remove the theme; restore from clean backup if available. Within 7 days: Perform forensic analysis of web server logs and WordPress audit logs for unauthorized access attempts or serialization patterns; deploy alternative WordPress theme; conduct full security testing of migrated installations. Within 30 days: Implement Web Application Firewall rules for PHP object injection detection; establish theme version inventory and patch management process; configure file integrity monitoring on /wp-content/themes/ directories; deploy runtime application self-protection (RASP) if available.

Nifty WordPress Theme CVE-2026-27429

EUVD-2026-37464 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-06-16 Patchstack

PHP Deserialization Nifty

9.8

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

9.8 CRITICAL

Unauthenticated network-reachable unserialize() sink with no user interaction; a reachable POP chain yields full RCE, justifying PR:N, AC:L and C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 16, 2026 - 23:44 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.

Articles & Coverage 1

News Critical PHP Object Injection in BoldThemes Nifty WordPress Theme - CVE-2026-27429 Jun 17, 2026

AnalysisAI

Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running Nifty ≤1.4.1

Delivery

Craft serialized PHP payload using known POP gadget

Exploit

Submit payload to vulnerable theme endpoint

Install

Theme calls unserialize() on attacker input

Gadget chain triggers magic method during object destruction

Execute

Write webshell or execute arbitrary PHP

Impact

Full site compromise and data theft

Recon

Identify WordPress site running Nifty ≤1.4.1

Delivery

Craft serialized PHP payload using known POP gadget

Exploit

Submit payload to vulnerable theme endpoint

Install

Theme calls unserialize() on attacker input

Gadget chain triggers magic method during object destruction

Execute

Write webshell or execute arbitrary PHP

Impact

Full site compromise and data theft

Vulnerability AssessmentAI

Exploitation	Target site must be running the BoldThemes Nifty WordPress theme at version 1.4.1 or earlier with the vulnerable theme endpoint reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H signals a worst-case profile: network-reachable, low complexity, no authentication, no user interaction, with high impact across confidentiality, integrity, and availability - consistent with unauthenticated PHP Object Injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends an HTTP request to a public Nifty theme endpoint with a crafted serialized PHP payload in a parameter, cookie, or header that the theme passes to unserialize(). The deserialization instantiates objects chosen from a POP gadget chain present in WordPress core or other installed plugins, triggering magic methods that write a PHP webshell to the uploads directory or execute arbitrary code, giving the attacker full control of the WordPress site.
Remediation	No vendor-released patch identified at time of analysis; the EUVD entry lists the affected range as '≤1.4.1' without naming a fixed version, so administrators should monitor the BoldThemes vendor channel and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/nifty/vulnerability/wordpress-nifty-theme-1-4-1-php-object-injection-vulnerability for a fixed release and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress instances using BoldThemes Nifty v1.4.1 or earlier; immediately disable and remove the theme; restore from clean backup if available. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-27429 vulnerability details – vuln.today

Back

Nifty WordPress Theme CVE-2026-27429

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code