Skip to main content

Micdrop WordPress Theme EUVD-2026-37484

| CVE-2026-39580 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Micdrop
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated unserialize() (AV:N/PR:N/UI:N); AC:H because impact depends on a usable POP gadget chain; full CIA impact typical of object injection leading to RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:34 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.

AnalysisAI

PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify site running Micdrop ≤1.3.1
Delivery
Craft serialized PHP object payload
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Install
Trigger unserialize() on attacker input
C2
POP gadget chain executes during deserialization
Execute
Achieve code execution or file write as web user
Impact
Establish persistence via webshell or admin account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to be running the Micdrop theme at version 1.3.1 or earlier and to be reachable over the network on the vulnerable endpoint; no WordPress account or user interaction is required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects a network-reachable, unauthenticated flaw with full CIA impact, tempered by High attack complexity - typically because exploitation depends on a suitable gadget chain being present in the target's plugin/theme stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a Micdrop-handled endpoint, embedding a PHP serialized payload in a parameter that the theme passes to unserialize(). When the payload is unserialized, magic methods on attacker-chosen classes (drawn from WordPress core or installed plugins) execute as a POP chain, yielding arbitrary file write or code execution under the web server account. …
Remediation No vendor-released patch identified at time of analysis; the input does not cite a fixed Micdrop version, so administrators should monitor the Patchstack advisory (https://patchstack.com/database/wordpress/theme/micdrop/vulnerability/wordpress-micdrop-theme-1-3-1-php-object-injection-vulnerability) and Select Themes for an update beyond 1.3.1 and apply it as soon as available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all sites using Micdrop theme version 1.3.1 or earlier and assess business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37484 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy