Skip to main content

Fidalgo WordPress Theme EUVD-2026-37478

| CVE-2026-39554 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Fidalgo
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable theme endpoint with no auth or user interaction (AV:N/PR:N/UI:N); AC:H because reliable RCE depends on an available PHP gadget chain in the deployed stack; full C/I/A impact on the WordPress site.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:37 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site using Fidalgo theme ≤ 1.2.2
Delivery
Locate vulnerable theme endpoint accepting serialized input
Exploit
Craft PHP object payload targeting known gadget chain
Install
Send unauthenticated HTTP request triggering unserialize()
C2
Magic methods execute on object destruction
Execute
Achieve RCE or arbitrary file write as web user
Impact
Establish webshell and pivot to full site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target site must be running the Fidalgo WordPress theme at version 1.2.2 or earlier with the vulnerable theme code reachable via HTTP(S) on a publicly accessible endpoint (AJAX, REST, or front-end request handler). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects an unauthenticated network-reachable flaw with high impact across confidentiality, integrity, and availability, tempered by high attack complexity - typically indicating that exploitation depends on the presence of a usable PHP gadget chain in the running WordPress stack, which is environment-specific. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker identifies a WordPress site running the Fidalgo theme ≤1.2.2 and sends a crafted HTTP request to the vulnerable theme endpoint containing a serialized PHP object payload that targets a known gadget chain in WordPress core or co-installed plugins. When the theme deserializes the payload, the gadget chain triggers actions such as arbitrary file write, SQL execution, or remote code execution, yielding full compromise of the WordPress installation. …
Remediation No vendor-released patch identified at time of analysis from the supplied data; site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/fidalgo/vulnerability/wordpress-fidalgo-theme-1-2-2-php-object-injection-vulnerability and the Elated Themes vendor channel for an updated theme release above 1.2.2 and apply it as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all WordPress installations to identify Fidalgo theme deployment and versions; document scope and determine business criticality of affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37478 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy