Skip to main content

Santé Theme CVE-2026-39567

| EUVD-2026-37480 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Sant
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable PHP object injection (AV:N, PR:N, UI:N) with high impact across CIA via gadget-chain RCE; AC:H reflects dependence on a viable POP chain.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:36 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Santé ≤1.5.1
Delivery
Craft serialized PHP object payload with POP chain
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Theme deserializes attacker input
Persist
Gadget chain executes via magic methods
Impact
Achieve code execution or data tampering
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Santé theme by Select Themes installed and active at version 1.5.1 or earlier and exposes the vulnerable deserialization endpoint to unauthenticated network traffic (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H combines unauthenticated network reach and high impact across CIA with high attack complexity, which typically reflects a dependency on a viable gadget chain or a specific request shape rather than a trivially exploitable sink. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a public Santé-powered WordPress site, embedding a serialized PHP object payload in the vulnerable parameter. When the theme deserializes the input, a POP gadget chain in WordPress, an installed plugin, or the theme itself is triggered via magic methods, allowing the attacker to write files, execute SQL, or obtain remote code execution depending on available gadgets - no public exploit is identified at time of analysis, but the high attack complexity reflects the need to identify or supply such a chain.
Remediation No vendor-released patch identified at time of analysis from the supplied data; site owners should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/sante/vulnerability/wordpress-sante-theme-1-5-1-php-object-injection-vulnerability) for the latest fixed version and upgrade Santé to a release greater than 1.5.1 once published by Select Themes. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for Santé theme version 1.5.1 or earlier; document criticality and dependencies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39567 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy