Skip to main content

Zermatt WordPress Theme EUVD-2026-37673

| CVE-2026-39545 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Zermatt
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated deserialization (AV:N/PR:N/UI:N); AC:H reflects required POP gadget chain; full C/I/A impact from typical object-injection RCE outcomes.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:24 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify site running Zermatt theme
Delivery
Locate deserialization endpoint
Exploit
Craft serialized PHP gadget chain
Install
Submit payload via HTTP
C2
Trigger unserialize() with magic methods
Execute
Achieve code execution or file write
Impact
Install webshell for persistence
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reach to a WordPress site running the Zermatt theme version 1.6.1 or earlier with the vulnerable deserialization endpoint exposed (no authentication or user interaction required per PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.1 (High) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - network-reachable, no authentication, no user interaction, but high attack complexity, typically reflecting reliance on a usable gadget chain or specific runtime state. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker crafts a serialized PHP object payload encoding a POP gadget chain available in the target WordPress stack and submits it to a Zermatt theme endpoint that deserializes user input, for example via a GET/POST parameter handled by the theme. When PHP unserializes the payload, magic methods on the instantiated objects fire and the chain culminates in file writes or code execution, allowing the attacker to drop a webshell or take over the site. …
Remediation No vendor-released patch identified at time of analysis from the provided references; site operators should monitor the Select-Themes vendor channel and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/zermatt/vulnerability/wordpress-zermatt-theme-1-6-1-php-object-injection-vulnerability) for an updated theme release beyond 1.6.1 and apply it immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Zermatt theme v1.6.1 or earlier; if operationally feasible, deactivate the theme and deploy an alternative. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37673 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy