EUVD-2026-37607Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network-reachable deserialization in a WordPress theme typically yields RCE via POP chains, justifying AV:N/AC:L/PR:N/UI:N and full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Articles & Coverage 1
AnalysisAI
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target site must have the AI Lab theme by jwsthemes installed and activated at a version below 5.4.2, with the vulnerable deserialization endpoint reachable over HTTP/HTTPS from the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects worst-case impact: unauthenticated, network-reachable, low-complexity exploitation with full CIA compromise - consistent with deserialization-to-RCE patterns. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates WordPress sites running the AI Lab theme via fingerprinting (theme stylesheet path, generator tags) and sends an unauthenticated HTTP request to a vulnerable theme endpoint with a serialized PHP object payload. The injected object triggers a POP gadget chain in WordPress core or an installed plugin during deserialization, achieving arbitrary file write or code execution that lets the attacker drop a webshell and take over the site. … |
| Remediation | Upgrade the AI Lab theme to version 5.4.2 or later, which is the vendor-released patch identified in the Patchstack advisory (https://patchstack.com/database/wordpress/theme/ailab/vulnerability/wordpress-ai-lab-theme-5-4-2-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using AI Lab theme; identify systems running versions prior to 5.4.2; isolate critical instances; prepare rollback and recovery procedures. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today