Skip to main content

Hiroshi Theme CVE-2026-39560

HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Hiroshi
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable theme endpoint (AV:N/PR:N/UI:N); AC:H reflects the gadget-chain precondition typical of PHP object injection, with full CIA impact on the WordPress host.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:34 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the Select Themes 'Hiroshi' WordPress theme through version 1.5.1 allows remote attackers to supply crafted serialized payloads that are deserialized by the theme, potentially leading to code execution, file manipulation, or data compromise when a suitable PHP magic-method gadget chain is present in the WordPress stack. The flaw is reachable without authentication per the CVSS vector, and no public exploit has been identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Hiroshi <= 1.5.1
Delivery
Craft serialized PHP object with gadget chain
Exploit
Send to vulnerable theme endpoint
Execution
Trigger unserialize and magic methods
Persist
Execute code or write files
Impact
Establish persistence on site
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to be running the Select Themes Hiroshi WordPress theme at version 1.5.1 or earlier and for the attacker to reach the specific theme-handled HTTP entry point that passes attacker-controlled input into PHP unserialize(); per the CVSS vector (AV:N/PR:N/UI:N) no authentication or user interaction is needed, but AC:H indicates a non-trivial precondition, which for PHP object injection typically means the victim must also have at least one loaded PHP class providing a usable magic-method gadget chain (commonly drawn from WordPress core, PHPMailer, Requests, or other active plugins). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects an unauthenticated, network-reachable issue with full CIA impact but elevated attack complexity, which typically indicates the attacker must locate or supply a usable gadget chain or meet a non-trivial precondition to achieve impact - this is consistent with PHP object injection where exploitability depends on what classes are loaded at runtime. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a WordPress site running Hiroshi <= 1.5.1, then sends a crafted HTTP request to a theme endpoint or parameter whose value is passed to unserialize(), embedding a serialized object that triggers a PHP magic method on a class already loaded in the WordPress runtime. If a usable gadget chain exists in core, an installed plugin, or a bundled library, the deserialization can be steered into arbitrary file write or command execution, leading to full site takeover; no public PoC has been identified at time of analysis, so opportunistic mass exploitation is currently unlikely.
Remediation No vendor-released patch identified at time of analysis in the supplied data; administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/hiroshi/vulnerability/wordpress-hiroshi-theme-1-5-1-php-object-injection-vulnerability for the latest fix status and upgrade to any Hiroshi release newer than 1.5.1 published by Select Themes once available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances to identify active deployments of Hiroshi theme version 1.5.1 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39560 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy