Skip to main content

EmallShop Theme CVE-2026-39443

| EUVD-2026-37470 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Emallshop
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable deserialization (AV:N/PR:N/UI:N); AC:H because impact depends on a viable POP gadget chain; full CIA impact via potential RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:41 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify EmallShop site via fingerprinting
Delivery
Craft serialized PHP payload with gadget chain
Exploit
Submit to vulnerable theme endpoint
Execution
Trigger unserialize() and magic methods
Persist
Execute arbitrary PHP / write webshell
Impact
Establish persistence and exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the target site to be running the EmallShop theme at version 2.4.21 or earlier, (2) network reachability to the vulnerable PHP endpoint (no authentication needed per PR:N), and (3) the presence of a usable POP gadget chain in another installed plugin, theme, or PHP/WordPress core class - this last requirement is what drives the CVSS AC:H rating, because raw object injection without a chain only yields limited impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a network-reachable, unauthenticated flaw with high impact across confidentiality, integrity, and availability, tempered by High attack complexity - typically because a usable gadget chain must already be present in the victim site's plugin/theme stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a serialized PHP object payload aligned with a gadget chain present in the target WordPress site's plugin stack and submits it to an EmallShop endpoint that accepts user-controlled input passed to unserialize(); upon deserialization, magic methods fire and execute the chain to write a PHP webshell, exfiltrate database credentials from wp-config.php, or pivot to administrative account takeover. No public exploit code is identified at the time of analysis, but Patchstack-disclosed object-injection issues are commonly weaponized by security researchers and opportunistic actors shortly after disclosure.
Remediation No vendor-released patch identified at time of analysis - the Patchstack advisory does not specify a fixed version, so administrators should monitor the EmallShop changelog at PressLayouts/ThemeForest and apply the next release above 2.4.21 as soon as it is published (consult https://patchstack.com/database/wordpress/theme/emallshop/vulnerability/wordpress-emallshop-theme-2-4-21-php-object-injection-vulnerability for updates). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress installations to identify those running EmallShop theme versions ≤ 2.4.21 and document the count and business criticality of each. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39443 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy