Skip to main content

Themify Popup CVE-2026-56037

| EUVDEUVD-2026-41322 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-02 audit@patchstack.com GHSA-2vg7-9fw4-fmph
8.8
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable plugin endpoint (AV:N/AC:L) needs a low-privilege authenticated account (PR:L) and no interaction (UI:N); object injection can yield full RCE, so C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:31 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection.

This issue affects Themify Popup: from n/a through 1.4.3.

AnalysisAI

PHP Object Injection in the Themify Popup WordPress plugin (all versions through 1.4.3) lets an authenticated attacker pass attacker-controlled serialized data into an unsafe deserialization sink (CWE-502), instantiating arbitrary PHP objects. Combined with a suitable gadget chain in the plugin, WordPress core, or other installed code, this can escalate to remote code execution, data theft, or site takeover. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Craft malicious serialized PHP object
Exploit
Submit to vulnerable Themify Popup endpoint
Execution
Trigger unserialize object injection
Persist
Fire gadget-chain magic methods
Impact
Execute code or tamper site data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session at low privilege (CVSS PR:L) on a site running Themify Popup version 1.4.3 or earlier, and the ability to reach the plugin request path that deserializes user-supplied input; no user interaction is needed (UI:N) and the attack is network-facing (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low-privilege authentication and no user interaction, with high confidentiality, integrity, and availability impact - a serious profile for an authenticated WordPress user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege authenticated account on a WordPress site running Themify Popup <= 1.4.3, then submits a crafted serialized PHP object to a plugin request handler that deserializes it. If a compatible gadget chain is present in the site's loaded code, the injected object's magic methods fire during unserialization, letting the attacker write files, tamper with the database, or execute code to compromise the site. …
Remediation Upgrade to a fixed release of Themify Popup newer than 1.4.3 once published by the vendor; the input does not specify an exact patched version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/themify-popup/vulnerability/wordpress-themify-popup-plugin-1-4-3-php-object-injection-vulnerability?_s_id=cve) and the Themify changelog for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit and document all WordPress instances running Themify Popup through version 1.4.3; review and restrict administrator and editor account access to only trusted personnel. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy