Moderno WordPress Theme
CVE-2026-49108
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated network sink (PR:N/AV:N) but practical RCE requires a viable POP gadget chain in co-installed code, justifying AC:H; full CIA impact retained.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
AnalysisAI
Remote code execution via unauthenticated PHP Object Injection affects the Moderno WordPress theme in all versions prior to 1.43, enabling attackers to send crafted serialized payloads that trigger malicious object instantiation. With CVSS 9.8 and a fully remote, no-interaction attack vector, successful exploitation hinges on the presence of usable POP gadget chains in WordPress core or co-installed plugins. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a target WordPress site has the Moderno theme installed and active at a version below 1.43, and that the vulnerable theme endpoint accepting attacker-controlled serialized input is reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects worst-case impact: network-reachable, low-complexity, unauthenticated, with full CIA compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker sends an HTTP request to a public Moderno-themed WordPress site containing a crafted PHP-serialized payload in a parameter that the theme passes to unserialize(). The deserializer instantiates attacker-chosen classes from WordPress core or installed plugins, and through a POP gadget chain triggers arbitrary file write or command execution, yielding webshell deployment and full site takeover. … |
| Remediation | Patch available per vendor advisory: upgrade the Moderno theme to version 1.43 or later, as documented at https://patchstack.com/database/wordpress/theme/moderno/vulnerability/wordpress-moderno-theme-1-43-php-object-injection-vulnerability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit WordPress instances for Moderno theme installations and document version numbers; assess whether exploitation is feasible by identifying available POP gadget chains in installed WordPress plugins and core. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today