Skip to main content

Alloggio Hotel Booking CVE-2026-39539

| EUVD-2026-37474 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Alloggio Hotel Booking
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable WordPress theme endpoint (AV:N/PR:N/UI:N); AC:H reflects dependency on a usable POP gadget chain; successful object injection typically yields full C/I/A compromise of the site.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:39 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Alloggio ≤2.1.2
Delivery
Send crafted HTTP request with serialized payload
Exploit
Reach unserialize() in theme handler
Execution
Trigger POP gadget chain in WordPress stack
Persist
Execute attacker-controlled code as web user
Impact
Establish webshell or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target site must be running the edge-themes Alloggio - Hotel Booking WordPress theme at version 2.1.2 or earlier with the vulnerable booking/AJAX entry point reachable over the network (consistent with AV:N/PR:N/UI:N - no authentication or user interaction required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H combines network reach and no authentication with high attack complexity and high impact across confidentiality, integrity, and availability, yielding a base score of 8.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker crafts an HTTP request to a public Alloggio booking or AJAX endpoint, embedding a serialized PHP object payload in a parameter that the theme passes to unserialize(). When the server deserializes the input, magic methods on the injected object trigger a POP gadget chain present in WordPress core or co-installed plugins, leading to outcomes such as arbitrary file write, sensitive data disclosure, or remote code execution as the web server user. …
Remediation Patch available per vendor advisory: upgrade the Alloggio - Hotel Booking theme to a release later than 2.1.2 as published by edge-themes, following the Patchstack advisory at https://patchstack.com/database/wordpress/theme/alloggio/vulnerability/wordpress-alloggio-hotel-booking-theme-2-1-2-php-object-injection-vulnerability; the specific fixed version is not enumerated in the provided data and should be confirmed against the vendor changelog before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress instances for Alloggio theme deployment and classify by public exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39539 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy