Skip to main content

Valeska EUVD-2026-37493

| CVE-2026-40761 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Valeska
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable WordPress theme sink with no auth or user interaction; AC:H because exploitation requires a working gadget chain; full CIA impact via object-injection-to-RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:28 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.

AnalysisAI

Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Valeska ≤1.2.2
Delivery
Craft serialized PHP gadget payload
Exploit
Send request to vulnerable theme endpoint
Install
Trigger unserialize() in Valeska
C2
PHP magic methods execute gadget chain
Execute
Drop webshell or run arbitrary code
Impact
Full site compromise and data theft
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target site must run the Valeska WordPress theme at version 1.2.2 or earlier (Edge-Themes) and expose the vulnerable deserialization sink over the network - consistent with the CVSS AV:N/PR:N/UI:N, no authentication or user interaction is required against default theme installations. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, base 8.1) indicates a remotely reachable, unauthenticated flaw with high impact across CIA, tempered by high attack complexity - typically meaning exploitation depends on the presence of a usable gadget chain in the surrounding PHP environment, which is highly probable on real WordPress sites that load many plugins. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends an HTTP request to a Valeska-handled endpoint (e.g., an AJAX action or front-end parameter) carrying a crafted serialized PHP payload referencing a gadget chain available in the target's WordPress stack. When Valeska deserializes the input, PHP magic methods fire down the chain, resulting in actions such as writing a PHP webshell into the uploads directory, executing arbitrary code, or exfiltrating database contents; AC:H reflects that the attacker must tailor the gadget chain to the victim's installed plugins.
Remediation No vendor-released patch identified at time of analysis in the supplied data; site operators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/valeska/vulnerability/wordpress-valeska-theme-1-2-2-php-object-injection-vulnerability for the latest fixed version from Edge-Themes and upgrade Valeska beyond 1.2.2 once published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances and identify those running Valeska theme version 1.2.2 or earlier; flag for immediate action. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37493 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy