Skip to main content

Thrive Apprentice CVE-2026-49107

| EUVD-2026-37622 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Thrive Apprentice
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable PHP object injection with no user interaction; deserialization sinks in WordPress plugins typically yield full RCE, justifying C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 17, 2026 - 13:01 EUVD
Analysis Generated
Jun 17, 2026 - 12:03 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Fingerprint WordPress site running Thrive Apprentice
Delivery
Craft serialized PHP object payload
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Install
Plugin deserializes attacker input
C2
POP gadget chain triggers on magic method
Execute
Execute arbitrary code as web server user
Impact
Persist webshell and pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target must be a WordPress site running the Thrive Apprentice plugin at a version below 10.8.10.2, with the vulnerable plugin endpoint(s) network-reachable to the attacker over HTTP/HTTPS - no authentication, no user interaction, and no special configuration are required per the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals strongly converge on this being a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N indicates remote, low-complexity, unauthenticated exploitation with high impact across the CIA triad, and Patchstack - a credible WordPress vulnerability research source - classified it as Object Injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker identifies a WordPress site running a vulnerable Thrive Apprentice version (often via plugin fingerprinting on /wp-content/plugins/thrive-apprentice/ assets), then sends an HTTP request containing a crafted serialized PHP payload to the vulnerable plugin endpoint. When the plugin unserializes the input, a POP gadget chain in WordPress core or another installed plugin is triggered, leading to arbitrary file write, SQL execution, or command execution under the web server user - fully compromising the site. …
Remediation Upstream fix available; the Patchstack advisory designates 10.8.10.2 as the fixed release, so administrators should upgrade Thrive Apprentice to version 10.8.10.2 or later via the WordPress plugin updater or the Thrive Themes dashboard, and verify the installed version after update. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress sites using Thrive Apprentice plugin and document their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-49107 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy