Skip to main content

Mildhill WordPress Theme CVE-2026-39573

| EUVD-2026-37676 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Mildhill
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated WordPress theme endpoint (AV:N, PR:N, UI:N); practical PHP object injection needs a POP gadget chain, justifying AC:H; deserialization typically yields full C/I/A impact on the site.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:22 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Mildhill <= 1.5 versions.

AnalysisAI

Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Mildhill ≤1.5
Delivery
Craft serialized PHP object payload
Exploit
Send to vulnerable theme endpoint
Install
Trigger unserialize() and POP gadget chain
C2
Achieve code execution or file write
Execute
Deploy webshell for persistence
Impact
Exfiltrate data or pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target site must have the Select Themes Mildhill theme installed and active at version 1.5 or earlier, and the vulnerable parameter or endpoint that feeds into PHP unserialize() must be reachable over the network from the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies a public WordPress site running the Mildhill theme version 1.5 or earlier and sends a crafted HTTP request containing a serialized PHP payload to a theme endpoint or parameter that feeds into unserialize(). Because no public exploit identified at time of analysis is referenced, the attacker must research a usable POP gadget chain in WordPress core or installed plugins; if successful, deserialization triggers magic methods that lead to arbitrary file read/write or remote code execution, after which the attacker installs a webshell and pivots to full site compromise.
Remediation No vendor-released patch identified at time of analysis; the only reference is the Patchstack advisory at https://patchstack.com/database/wordpress/theme/mildhill/vulnerability/wordpress-mildhill-theme-1-5-php-object-injection-vulnerability, which does not list a fixed version in the provided data, so site operators should check Select Themes (ThemeForest/Qode Interactive) for an updated Mildhill release greater than 1.5 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Scan all WordPress instances to identify those running Mildhill theme version 1.5 or earlier; document affected sites and their business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39573 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy