EUVD-2026-37488Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated theme endpoint (AV:N/PR:N/UI:N); AC:H because exploitation depends on a site-specific POP gadget chain; full C/I/A impact via RCE-class object injection.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
AnalysisAI
Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target WordPress site to have the Roisin theme version 1.4 or earlier installed and active, reachable over HTTP/HTTPS by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates remote, unauthenticated reachability with high impact across all three dimensions, but AC:H signals that successful exploitation requires conditions outside the attacker's control - typically the presence of a usable POP gadget chain in the victim's specific WordPress stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running the Roisin theme version 1.4 or earlier and sends a crafted HTTP request containing a serialized PHP object payload to a vulnerable theme endpoint. If the deployed WordPress core and plugin stack contains a usable POP gadget chain, the deserialized object triggers magic methods that pivot into arbitrary file write or code execution, ultimately compromising the site. … |
| Remediation | No vendor-released patch identified at time of analysis; site operators should monitor the elated-themes vendor channel and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/roisin/vulnerability/wordpress-roisin-theme-1-4-php-object-injection-vulnerability) for an updated Roisin release above 1.4 and upgrade immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for Roisin theme version 1.4 or earlier; disable or isolate affected sites. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today