What is the CVSS score of EUVD-2026-33912?

EUVD-2026-33912 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Töbel WordPress Theme are affected by EUVD-2026-33912?

The Elated-Themes Töbel WordPress theme (versions ≤1.8.1) contains an unauthenticated remote code execution vulnerability through unsafe object deserialization, exposing any WordPress site running…

How to fix or mitigate EUVD-2026-33912?

Within 24 hours: Audit all WordPress installations to identify sites running Töbel theme v1.8.1 or earlier. Within 7 days: Disable the theme and switch to an alternative, or apply WAF rules to block serialized object payloads; restrict theme file access if remediation is not immediately possible. Within 30 days: Verify all affected installations have migrated away from Töbel or wait for Elated-Themes patch release; confirm no backdoors were installed during exposure window.

Töbel WordPress Theme EUVD-2026-33912

| CVE-2026-39551 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-02 Patchstack

GHSA-2w4f-7crj-wgcm

Deserialization T Bel

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 02, 2026 - 11:51 vuln.today

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection.

This issue affects Töbel: from n/a through 1.8.1.

AnalysisAI

PHP object injection in the Elated-Themes Töbel WordPress theme (versions up to and including 1.8.1) allows remote attackers to trigger unsafe deserialization of attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or data tampering depending on available POP gadgets. Rated CVSS 8.1 (High) with no public exploit identified at time of analysis and no CISA KEV listing, though the network attack vector and lack of authentication requirement make it a meaningful risk to any WordPress site running the theme.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running Töbel ≤1.8.1

Delivery

Enumerate plugins for usable POP gadgets

Exploit

Craft serialized PHP payload

Install

Send to vulnerable theme endpoint

Trigger unserialize() and gadget chain

Execute

Achieve code execution or file write

Impact

Establish persistence via webshell or admin user

Recon

Identify WordPress site running Töbel ≤1.8.1

Delivery

Enumerate plugins for usable POP gadgets

Exploit

Craft serialized PHP payload

Install

Send to vulnerable theme endpoint

Trigger unserialize() and gadget chain

Execute

Achieve code execution or file write

Impact

Establish persistence via webshell or admin user

Vulnerability AssessmentAI

Exploitation	The target site must have the Elated-Themes Töbel theme installed and active at version 1.8.1 or earlier, and the vulnerable code path (a theme endpoint or hook that passes user input into PHP deserialization) must be reachable over HTTP/HTTPS. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a network-reachable, unauthenticated bug with no user interaction but elevated attack complexity - the AC:H signals that exploitation likely requires a usable gadget chain or specific timing/state, not a one-shot payload. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated attacker sends an HTTP request to a public WordPress endpoint exposed by the Töbel theme, supplying a crafted serialized PHP payload in a parameter that the theme passes to unserialize(). When combined with a POP gadget chain present in WordPress core or another installed plugin, deserialization instantiates attacker-controlled objects and triggers magic methods, leading to outcomes such as arbitrary file write, SQL execution, or remote code execution. …
Remediation	No vendor-released patch identified at time of analysis - the Patchstack advisory lists affected versions through 1.8.1 with no fixed release noted, so site owners should monitor https://patchstack.com/database/wordpress/theme/tobel/vulnerability/wordpress-toebel-theme-1-8-1-php-object-injection-vulnerability and the Elated-Themes vendor site for an updated build and apply it as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations to identify sites running Töbel theme v1.8.1 or earlier. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-33912 vulnerability details – vuln.today

Back

Töbel WordPress Theme EUVD-2026-33912

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code