EUVD-2026-37482Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Description states unauthenticated (PR:N) over the network; AC:H because exploitation requires a usable POP gadget chain on the target; full CIA impact assumed for typical object-injection outcomes.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.
AnalysisAI
PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the Playroom theme installed and active at version 1.4.1 or earlier, and the attacker must be able to reach the vulnerable theme endpoint over HTTP(S). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | There is a meaningful conflict between sources: the Patchstack description explicitly states "Unauthenticated" while the CVSS vector encodes PR:H (high privileges required) with Scope:Changed and only Low confidentiality/integrity impact (no availability). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits an HTTP request to a Playroom theme endpoint with a parameter containing a serialized PHP object payload crafted to invoke a POP gadget chain present in WordPress core or a bundled library. When the theme calls unserialize() on the attacker-controlled value, magic methods fire and pivot through gadgets to achieve actions such as file write, arbitrary read, or administrative state change - the precise outcome depending on which gadget chains exist on the target installation. |
| Remediation | No vendor-released patch identified at time of analysis - the references describe versions ≤ 1.4.1 as vulnerable without naming a fixed release, so administrators should monitor the elated-themes vendor portal and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/playroom/vulnerability/wordpress-playroom-theme-1-4-1-php-object-injection-vulnerability for a corrected build and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations using Playroom theme version 1.4.1 or earlier through automated scanning or manual inventory. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today