EUVD-2026-37479Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated unserialize sink (AV:N/PR:N/UI:N); AC:H because impact depends on a usable PHP gadget chain; full C/I/A on successful RCE.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target site to run the Elated-Themes NeoBeat theme at version ≤1.7 and to expose the vulnerable deserialization endpoint over HTTP/HTTPS (network reachable, no authentication, no user interaction per AV:N/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) shows a network-reachable, unauthenticated flaw with high impact but elevated attack complexity - AC:H typically signals that successful exploitation depends on a viable gadget chain in the site's specific plugin/theme stack, which is not always present. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a NeoBeat-powered WordPress site containing a serialized PHP payload in a parameter that the theme passes to unserialize(). When the application deserializes it, a gadget chain assembled from WordPress plugins/core triggers arbitrary file write or code execution, giving the attacker site takeover. … |
| Remediation | Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/theme/neobeat/vulnerability/wordpress-neobeat-theme-1-7-php-object-injection-vulnerability) and Elated-Themes to obtain any post-1.7 release and update immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations for NeoBeat theme versions ≤1.7 and immediately disable or replace with an actively maintained alternative theme. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today