EUVD-2026-37489Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable PHP Object Injection yielding full host impact, but AC:H reflects the need for a viable gadget chain in the deployed PHP class graph.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WordPress site to have the Mikado-Themes TechLink theme installed and active at version 1.3 or earlier, and the attacker must reach an HTTP endpoint exposed by that theme that passes user-supplied input into PHP unserialize(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals diverge: CVSS 3.1 base score is 8.1 (High) with AV:N/PR:N/UI:N and C:H/I:H/A:H, but AC:H indicates non-trivial preconditions such as a viable gadget chain or specific request shaping - that explains why it is not 9.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running TechLink ≤ 1.3, then submits an HTTP request containing a crafted serialized PHP object to a theme parameter that reaches unserialize(). When the payload is deserialized, a gadget chain built from classes loaded by WordPress core or active plugins executes during object destruction, giving the attacker remote code execution or file read/write under the web server user. … |
| Remediation | No vendor-released patch identified at time of analysis - the input data does not name a fixed TechLink version, only that ≤ 1.3 is vulnerable. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Mikado-Themes TechLink version 1.3 or earlier; immediately deactivate and uninstall affected theme from all sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today