SingleMalt WordPress Theme
CVE-2026-39576
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Theme endpoint reachable over network without authentication or user interaction; AC:H because reliable RCE requires a usable PHP POP gadget chain; full CIA impact via deserialization to code execution.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the SingleMalt WordPress theme (versions up to and including 1.5) allows remote attackers to deserialize attacker-controlled data, which can lead to compromise of confidentiality, integrity, and availability of affected WordPress sites. The flaw is exploitable without authentication or user interaction but has high attack complexity per its CVSS vector, and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target WordPress installation has the SingleMalt theme (elated-themes) installed and active at version 1.5 or earlier, and that the attacker can reach the vulnerable HTTP endpoint exposed by the theme over the network. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker identifies a WordPress site running the SingleMalt theme at version 1.5 or earlier and locates an unauthenticated entry point in the theme that passes user input to unserialize(). The attacker crafts a serialized PHP object that, when deserialized, triggers a POP gadget chain through classes loaded by WordPress core or other installed plugins to achieve file write or arbitrary command execution, then uses that primitive to drop a webshell and take over the site. |
| Remediation | No vendor-released patch identified at time of analysis from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/singlemalt/vulnerability/wordpress-singlemalt-theme-1-5-php-object-injection-vulnerability) and the elated-themes vendor portal for an updated SingleMalt release above 1.5 and apply it as soon as published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations and identify those using SingleMalt theme versions 1.5 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today