What is the CVSS score of CVE-2026-39550?

CVE-2026-39550 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Aperitif WordPress Theme are affected by CVE-2026-39550?

The Aperitif WordPress theme (versions 1.6 and earlier) contains a critical vulnerability that allows remote attackers to execute arbitrary code and fully compromise affected websites.

How to fix or mitigate CVE-2026-39550?

Within 24 hours: Scan all WordPress environments to identify Aperitif theme installations version 1.6 or earlier and classify by business criticality. Within 7 days: Deploy Web Application Firewall rules blocking PHP object injection patterns; restrict administrative access to theme configuration; disable theme features on non-critical sites; escalate patch request to Elated-Themes with severity classification. Within 30 days: Monitor Elated-Themes security advisories for patch release; plan migration to alternative theme or patched version; conduct incident response assessment if exploitation indicators are detected.

Aperitif WordPress Theme CVE-2026-39550

EUVD-2026-33911 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-02 Patchstack

GHSA-4mp4-954f-p5jr

Deserialization Aperitif

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 02, 2026 - 11:51 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection.

This issue affects Aperitif: from n/a through 1.6.

AnalysisAI

Object injection in the Elated-Themes Aperitif WordPress theme through version 1.6 allows remote attackers to trigger PHP deserialization of attacker-controlled data, potentially leading to code execution, file manipulation, or full site compromise when a suitable gadget chain is present. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running Aperitif ≤1.6

Delivery

Craft serialized PHP object payload with POP gadget

Exploit

Submit payload to vulnerable theme endpoint

Install

Trigger unserialize() on untrusted input

Gadget chain executes during object destruction

Execute

Achieve code execution or file write

Impact

Full site takeover

Recon

Identify WordPress site running Aperitif ≤1.6

Delivery

Craft serialized PHP object payload with POP gadget

Exploit

Submit payload to vulnerable theme endpoint

Install

Trigger unserialize() on untrusted input

Gadget chain executes during object destruction

Execute

Achieve code execution or file write

Impact

Full site takeover

Vulnerability AssessmentAI

Exploitation	Requires a WordPress site running the Elated-Themes Aperitif theme at version 1.6 or earlier with the vulnerable code path reachable over HTTP/HTTPS; the theme must be installed and active (or its vulnerable PHP file directly callable). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS:3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates network-reachable, unauthenticated exploitation with no user interaction, but High attack complexity - consistent with object-injection bugs that require a viable gadget chain in the surrounding PHP environment to achieve meaningful impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A remote, unauthenticated attacker submits an HTTP request to a vulnerable Aperitif-powered WordPress site containing a crafted serialized PHP payload in a parameter, cookie, or option value that the theme passes to unserialize(). When PHP rehydrates the payload, magic methods on attacker-chosen classes from WordPress core or installed plugins fire (a POP chain), enabling arbitrary file write, SQL execution, or remote code execution and resulting in full site takeover. …
Remediation	No vendor-released patched version is identified in the available data - the advisory states the issue affects Aperitif 'from n/a through 1.6' without naming a fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Scan all WordPress environments to identify Aperitif theme installations version 1.6 or earlier and classify by business criticality. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-39549 HIGH This Week

8.1 Jun 16

Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes

CVE-2026-39550 vulnerability details – vuln.today

Back

Aperitif WordPress Theme CVE-2026-39550

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code