Alukas WordPress Theme
CVE-2026-39445
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated deserialization (AV:N/PR:N/UI:N) but exploitation depends on finding a POP gadget chain, justifying AC:H; successful chain typically yields full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the Alukas WordPress theme (versions prior to 3.0.0) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, file manipulation, or full site compromise when a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is tracked by Patchstack as a deserialization flaw affecting the presslayouts:alukas product line. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a reachable Alukas theme endpoint that passes attacker-supplied input into PHP unserialize() - typically a public WordPress page, AJAX action, or cookie/parameter handled by the theme prior to version 3.0.0 - and the WordPress installation must expose a usable POP gadget chain (from core, plugins, or other themes) for the deserialized object to produce meaningful impact, which is the reason CVSS marks AC:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H scores 8.1 (High) and is consistent with a remotely reachable unauthenticated sink that nonetheless requires a non-trivial gadget chain (AC:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends an HTTP request to a vulnerable Alukas endpoint with a crafted serialized PHP object designed to trigger a POP gadget chain present in WordPress core or a co-installed plugin. When the theme calls unserialize() on the input, the chain fires during object lifecycle methods and is leveraged to write a PHP webshell into the uploads directory or execute attacker code, yielding full site takeover. … |
| Remediation | Patch available per vendor advisory: upgrade the Alukas theme to version 3.0.0 or later as documented in the Patchstack advisory at https://patchstack.com/database/wordpress/theme/alukas/vulnerability/wordpress-alukas-theme-3-0-0-php-object-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify whether Alukas theme versions prior to 3.0.0 are deployed; immediately disable the theme on non-critical systems pending patch availability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today