What is the CVSS score of CVE-2026-39555?

CVE-2026-39555 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Askka WordPress Theme are affected by CVE-2026-39555?

The Askka WordPress theme (versions through 1.3.1) from Elated-Themes contains a PHP object injection flaw that could allow attackers to achieve complete website compromise, including unauthorized…

How to fix or mitigate CVE-2026-39555?

Within 24 hours: Conduct full inventory of WordPress installations running Askka theme v1.3.1 or earlier; prioritize sites handling sensitive data or serving customers. Within 7 days: Deactivate and completely remove Askka theme from all affected installations; deploy alternative WordPress theme with current security maintenance. Within 30 days: Perform comprehensive security audit of all previously affected sites to confirm no unauthorized code injection occurred; implement Web Application Firewall rules to block PHP object deserialization attacks across WordPress infrastructure.

Askka WordPress Theme CVE-2026-39555

EUVD-2026-33924 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-02 audit@patchstack.com

GHSA-w594-jcp9-58h9

Deserialization

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 02, 2026 - 14:35 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.

This issue affects Askka: from n/a through 1.3.1.

AnalysisAI

PHP object injection in the Elated-Themes Askka WordPress theme through version 1.3.1 allows remote attackers to deserialize untrusted data, potentially leading to arbitrary code execution, file manipulation, or full site compromise depending on available gadget chains. The CVSS score of 8.1 reflects high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers immediate exploitability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running Askka ≤1.3.1

Delivery

Enumerate installed plugins for POP gadgets

Exploit

Craft serialized PHP object payload

Install

Submit to vulnerable theme endpoint

Trigger unserialize on attacker input

Execute

Execute gadget chain for file write or RCE

Impact

Establish persistence via webshell

Recon

Identify WordPress site running Askka ≤1.3.1

Delivery

Enumerate installed plugins for POP gadgets

Exploit

Craft serialized PHP object payload

Install

Submit to vulnerable theme endpoint

Trigger unserialize on attacker input

Execute

Execute gadget chain for file write or RCE

Impact

Establish persistence via webshell

Vulnerability AssessmentAI

Exploitation	Exploitation requires the target WordPress site to have the Elated-Themes Askka theme installed and active at a version at or below 1.3.1, and the attacker must reach a theme-exposed endpoint (AJAX action, request parameter, or cookie) that passes untrusted input into unserialize() or equivalent. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk signals are mixed: the CVSS vector AV:N/PR:N/UI:N indicates a remote, pre-authentication network attack with no user interaction, and the C:H/I:H/A:H impact metrics suggest full compromise is possible, but AC:H signals that successful exploitation requires non-trivial conditions such as a specific gadget chain or non-default state. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a WordPress site running the Askka theme version 1.3.1 or earlier, crafts a serialized PHP object payload leveraging a gadget chain present in WordPress core or another installed plugin, and submits it to a vulnerable theme endpoint that calls unserialize() on user input. Successful exploitation could escalate to arbitrary file write, webshell deployment, or database compromise. …
Remediation	No vendor-released patch identified at time of analysis - the Patchstack record describes versions up to and including 1.3.1 as vulnerable with no fixed version cited. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct full inventory of WordPress installations running Askka theme v1.3.1 or earlier; prioritize sites handling sensitive data or serving customers. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-39555 vulnerability details – vuln.today

Back

Askka WordPress Theme CVE-2026-39555

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code