Konsept WordPress Theme
CVE-2026-39556
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote unauthenticated HTTP reach (AV:N/PR:N/UI:N); AC:H because exploitation depends on a usable POP gadget chain in the installed stack; full CIA impact via PHP object injection leading to RCE.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Konsept <= 1.9 versions.
AnalysisAI
Unauthenticated PHP Object Injection affects the Konsept WordPress theme (by elated-themes) in versions 1.9 and earlier, allowing remote attackers to inject crafted serialized PHP objects without authentication. Successful exploitation can lead to a full compromise of the WordPress site - high impact on confidentiality, integrity, and availability - though CVSS rates attack complexity as high, indicating non-trivial conditions are required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WordPress site to have the Konsept theme version 1.9 or earlier installed and active, with the vulnerable code path reachable over HTTP (typical of public WordPress sites). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running the Konsept theme and submits a crafted request - for example, to a theme AJAX endpoint or via a cookie value - carrying a serialized PHP object that abuses a magic method gadget present in an installed plugin. When the theme unserializes the input, the gadget chain triggers, leading to arbitrary file write or code execution and full site takeover. … |
| Remediation | No vendor-released patch identified at time of analysis; administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/konsept/vulnerability/wordpress-konsept-theme-1-9-php-object-injection-vulnerability) and the elated-themes vendor portal for a fixed release above 1.9. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all WordPress installations and identify those running Konsept theme version 1.9 or earlier; assess data sensitivity of affected sites; prepare incident response procedures. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today