Skip to main content

Elementra Theme CVE-2026-39529

| EUVD-2026-37473 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Elementra
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable deserialization in a WordPress theme yields PR:N, AV:N, AC:L, UI:N; successful object injection typically enables RCE giving full C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:40 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.

AnalysisAI

Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Elementra ≤1.0.9
Delivery
Craft serialized PHP object with POP gadget
Exploit
Send payload to vulnerable theme endpoint
Install
Theme unserializes attacker input
C2
Gadget chain executes during object destruction
Execute
Achieve code execution or file write
Impact
Establish persistent webshell on site
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target site must have the Elementra theme by themerex_group installed and active at version 1.0.9 or earlier, and the vulnerable injection sink must be reachable over the network with no authentication or user interaction (consistent with AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H is internally consistent with Patchstack's 'unauthenticated' classification - remote, low-complexity, no authentication, no user interaction, full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker crafts a serialized PHP object referencing a POP gadget present in WordPress core or another installed plugin, then submits it to a vulnerable Elementra parameter (query string, POST body, or cookie) reachable on the public site. The theme deserializes the payload, the gadget chain fires during object lifecycle methods, and the attacker achieves arbitrary file write or PHP code execution leading to full site takeover. …
Remediation No vendor-released patch identified at time of analysis - the Patchstack advisory at https://patchstack.com/database/wordpress/theme/elementra/vulnerability/wordpress-elementra-theme-1-0-9-php-object-injection-vulnerability lists affected versions ≤1.0.9 without naming a fixed release, so administrators should monitor themerex_group for a version above 1.0.9 and apply it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all WordPress deployments and identify those running Elementra theme ≤1.0.9; disable the theme or restrict access to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39529 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy