Skip to main content

777 (WordPress Theme) EUVDEUVD-2026-43383

| CVE-2026-57738 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote unauthenticated (AV:N/PR:N/UI:N), but AC:H because reliable impact requires a usable POP gadget chain; full C/I/A impact assumed when a chain exists.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:40 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in axiomthemes 777 triple-seven allows Object Injection.This issue affects 777: from n/a through <= 1.13.0.

AnalysisAI

Remote PHP object injection in the axiomthemes '777' (triple-seven) WordPress theme allows attackers to instantiate arbitrary PHP objects by supplying crafted serialized data to a vulnerable unserialize() call, affecting all versions up to and including 1.13.0. With the reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scoring 9.8, an unauthenticated network attacker can achieve high-impact compromise if a usable POP gadget chain is present. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running 777 theme <= 1.13.0
Delivery
Craft malicious serialized PHP object
Exploit
Send payload to vulnerable unserialize endpoint
Execution
Trigger POP gadget chain via magic methods
Persist
Achieve file write or code execution
Impact
Compromise WordPress site

Vulnerability AssessmentAI

Exploitation Exploitation requires a request reaching the theme code path that deserializes untrusted input via unserialize() in the '777' theme (versions <= 1.13.0), and - critically - a usable PHP POP gadget chain present in the theme, WordPress core, or an installed plugin to convert object injection into concrete impact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H = 9.8 Critical) indicates a low-complexity, remote, unauthenticated path with full confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request containing a malicious serialized PHP object to a theme endpoint that calls unserialize() on the input. If a POP gadget chain is available in the theme, WordPress core, or an active plugin, the injected object's magic methods trigger during deserialization, leading to actions such as arbitrary file write, data disclosure, or code execution. …
Remediation No vendor-released patch version is identified in the available data; the input only specifies affected versions through <= 1.13.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress installations to identify those running axiomthemes '777' theme and document version numbers in use across the organization. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy