EUVD-2026-12821
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1.
Analysis
A critical PHP object injection vulnerability exists in the Shinetheme Traveler WordPress theme due to insecure deserialization of untrusted data. This affects all versions prior to 3.2.8.1 and allows unauthenticated remote attackers to execute arbitrary code, compromise data confidentiality and integrity, and cause denial of service. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WordPress installations using Shinetheme Traveler theme and identify affected versions (prior to 3.2.8.1); disable or deactivate the theme on production sites if version cannot be immediately confirmed as patched. Within 7 days: Contact Shinetheme for patch availability status and timeline; implement Web Application Firewall (WAF) rules to block PHP object injection payloads; apply the patch immediately upon release or migrate to an alternative theme if patch timeline is unacceptable. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today