Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable plugin endpoint (AV:N/AC:L) needs a low-privilege authenticated account (PR:L) and no interaction (UI:N); object injection can yield full RCE, so C/I/A:H.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection.
This issue affects Themify Popup: from n/a through 1.4.3.
AnalysisAI
PHP Object Injection in the Themify Popup WordPress plugin (all versions through 1.4.3) lets an authenticated attacker pass attacker-controlled serialized data into an unsafe deserialization sink (CWE-502), instantiating arbitrary PHP objects. Combined with a suitable gadget chain in the plugin, WordPress core, or other installed code, this can escalate to remote code execution, data theft, or site takeover. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session at low privilege (CVSS PR:L) on a site running Themify Popup version 1.4.3 or earlier, and the ability to reach the plugin request path that deserializes user-supplied input; no user interaction is needed (UI:N) and the attack is network-facing (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates network-reachable, low-complexity exploitation requiring only low-privilege authentication and no user interaction, with high confidentiality, integrity, and availability impact - a serious profile for an authenticated WordPress user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege authenticated account on a WordPress site running Themify Popup <= 1.4.3, then submits a crafted serialized PHP object to a plugin request handler that deserializes it. If a compatible gadget chain is present in the site's loaded code, the injected object's magic methods fire during unserialization, letting the attacker write files, tamper with the database, or execute code to compromise the site. … |
| Remediation | Upgrade to a fixed release of Themify Popup newer than 1.4.3 once published by the vendor; the input does not specify an exact patched version, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/themify-popup/vulnerability/wordpress-themify-popup-plugin-1-4-3-php-object-injection-vulnerability?_s_id=cve) and the Themify changelog for the corrected build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit and document all WordPress instances running Themify Popup through version 1.4.3; review and restrict administrator and editor account access to only trusted personnel. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41322
GHSA-2vg7-9fw4-fmph