What is the CVSS score of EUVD-2026-37483?

EUVD-2026-37483 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.3%.

Which versions of Valiance WordPress Theme are affected by EUVD-2026-37483?

The Valiance WordPress theme (versions 1.2 and earlier) contains a critical PHP object injection flaw (CVSS 8.1) with remote code execution potential and no currently available patch.

How to fix or mitigate EUVD-2026-37483?

24 HOURS: Audit all WordPress installations to identify those running Valiance theme ≤1.2; disable the theme or restrict internet-facing access until patch availability is confirmed. 7 DAYS: Implement Web Application Firewall rules to block PHP serialized object patterns in user input; review and restrict administrative account privileges to principle of least privilege; subscribe to Valiance security advisories for patch announcements. 30 DAYS: Establish automated monitoring for Valiance updates; prepare migration plan to alternative WordPress theme if remediation timeline extends beyond acceptable risk window; assess whether custom plugins deployed in affected environments could serve as exploitation gadgets.

Valiance WordPress Theme EUVD-2026-37483

| CVE-2026-39578 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-06-16 Patchstack

PHP Deserialization Valiance

8.1

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

8.1 HIGH

AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

vuln.today AI

10.0 CRITICAL

Patchstack labels it unauthenticated (PR:N), network-reachable with no user interaction; PHP object injection typically chains to RCE via gadget chains, so C/I/A:H with scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 16, 2026 - 23:34 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.

AnalysisAI

PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running Valiance ≤1.2

Delivery

Craft serialized PHP payload with POP gadget

Exploit

Send to vulnerable theme endpoint

Execution

Trigger unserialize() on attacker input

Persist

Gadget chain executes via magic methods

Impact

Achieve code execution or data tampering

Access

Identify WordPress site running Valiance ≤1.2

Delivery

Craft serialized PHP payload with POP gadget

Exploit

Send to vulnerable theme endpoint

Execution

Trigger unserialize() on attacker input

Persist

Gadget chain executes via magic methods

Impact

Achieve code execution or data tampering

Vulnerability AssessmentAI

Exploitation	The target site must run the Valiance theme by elated-themes at version 1.2 or earlier and expose the vulnerable theme endpoint that feeds attacker input into unserialize(); successful code execution additionally requires a usable POP gadget chain in WordPress core or in another plugin installed alongside the theme. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a crafted HTTP request to a Valiance-powered WordPress site containing a serialized PHP object in a parameter that the theme passes to unserialize(); the object's magic methods trigger a POP gadget chain from WordPress core or another active plugin, resulting in arbitrary file write, SQL execution, or remote code execution as the web user. No public PoC has been referenced in the provided intelligence, but object-injection vulnerabilities in WordPress themes are routinely chained to RCE once a gadget is identified.
Remediation	No vendor-released patch identified at time of analysis - the Patchstack advisory does not cite a fixed Valiance version in the supplied data, so administrators should monitor the elated-themes changelog and the Patchstack record (https://patchstack.com/database/wordpress/theme/valiance/vulnerability/wordpress-valiance-theme-1-2-php-object-injection-vulnerability) and upgrade as soon as a patched build is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Audit all WordPress installations to identify those running Valiance theme ≤1.2; disable the theme or restrict internet-facing access until patch availability is confirmed. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH This Week POC

7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi

CVE-2026-9815 MEDIUM This Month POC

6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co

CVE-2026-48908 CRITICAL Act Now

10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL Act Now

10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve

CVE-2025-69108 CRITICAL Act Now

9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

EUVD-2026-37483 vulnerability details – vuln.today

Back