Skip to main content

Grand Photography CVE-2026-57770

| EUVDEUVD-2026-43390 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated network-reachable unserialize sink (AV:N/AC:L/PR:N/UI:N); worst-case gadget-driven RCE justifies C:H/I:H/A:H, though real impact depends on available POP chains.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:37 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Photography grandphotography allows Object Injection.This issue affects Grand Photography: from n/a through <= 5.7.8.

AnalysisAI

PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running Grand Photography ≤5.7.8
Delivery
Craft serialized PHP object payload
Exploit
Send to unserialize endpoint
Execution
Trigger POP gadget chain on deserialization
Persist
Execute file write or SQL injection
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target site runs ThemeGoods Grand Photography at version 5.7.8 or earlier and that attacker-controlled input reaches the theme's unserialize() sink. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8) describes a trivially reachable, unauthenticated, network-facing flaw with total system impact, which on paper is maximum priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker crafts a serialized PHP object payload and submits it to a Grand Photography endpoint that unserializes user input; when the payload is deserialized it triggers a POP gadget chain present on the site, leading to actions such as arbitrary file write or SQL injection and potentially full site takeover. Because the CVSS vector is AV:N/AC:L/PR:N/UI:N, this requires only a single crafted HTTP request with no authentication or user interaction. …
Remediation No fixed version is stated in the available data (affected range is 'n/a through <= 5.7.8'), so no vendor-released patch is confirmed at time of analysis; monitor ThemeGoods and the Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/grandphotography/vulnerability/wordpress-grand-photography-theme-5-7-8-php-object-injection-vulnerability) for a release above 5.7.8 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct a complete inventory of WordPress installations to identify all instances of ThemeGoods Grand Photography theme version 5.7.8 or earlier and disable the theme immediately as a temporary mitigation measure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy