EUVD-2026-37602Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated deserialization (AV:N/PR:N/UI:N); AC:H because exploitation requires a viable POP gadget chain in the target stack; full C/I/A impact typical of PHP object injection.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.
AnalysisAI
Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be running the Mikado-Themes EasyMeals WordPress theme at version 1.5.1 or earlier, and the vulnerable deserialization entry point must be reachable over HTTP/HTTPS without authentication (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed: the CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a network-reachable, unauthenticated vulnerability with full triad impact, but AC:H tempers practical exploitability because a viable gadget chain must exist in the deployed stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends an HTTP request to a WordPress site running EasyMeals <= 1.5.1 containing a crafted serialized PHP object in a parameter that the theme passes to unserialize(). When deserialized, the object triggers a POP gadget chain available in WordPress core or other installed components, leading to outcomes such as arbitrary file write or code execution in the web server context. … |
| Remediation | No vendor-released patch identified at time of analysis in the provided data; site operators running EasyMeals 1.5.1 or earlier should consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/easymeals/vulnerability/wordpress-easymeals-theme-1-5-1-php-object-injection-vulnerability and upgrade to a fixed release once published by Mikado-Themes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify systems running EasyMeals theme v1.5.1 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today