PressMart Theme
CVE-2026-39442
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated deserialization (AV:N/PR:N/UI:N) with AC:H because reliable exploitation requires a usable POP gadget chain; full H/H/H impact via potential RCE.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the PressMart WordPress theme versions 1.2.26 and earlier allows remote attackers to deliver malicious serialized payloads that are deserialized by the theme, potentially leading to property-oriented gadget chain abuse and full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis, and the high attack complexity reflects the need for a usable gadget chain to escalate from deserialization to concrete impact.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must be running the PressMart WordPress theme at version 1.2.26 or earlier and the vulnerable deserialization sink must be reachable without authentication (PR:N) over the network (AV:N), with no user interaction required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant careful triage. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a public-facing WordPress site running PressMart 1.2.26 or earlier and submits a crafted HTTP request containing a serialized PHP object to a theme-handled endpoint. The injected object instantiates a class from WordPress core or another installed plugin whose magic methods form a property-oriented programming chain, ultimately writing a webshell or executing arbitrary PHP. … |
| Remediation | Upgrade the PressMart theme to a version newer than 1.2.26 as soon as the vendor publishes a fix; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/presssmart/vulnerability/wordpress-pressmart-theme-1-2-26-php-object-injection-vulnerability for the patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all installations of PressMart theme and identify affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today