Skip to main content

RT-Theme 18 EUVDEUVD-2026-43387

| CVE-2026-57744 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network and unauthenticated per the sink, but rated AC:H because reliable impact requires locating a suitable POP gadget chain; full C/I/A when a chain is reached.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:38 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

AnalysisAI

PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running rt18-extensions ≤2.5
Delivery
Craft serialized PHP object payload
Exploit
Submit to vulnerable deserialization endpoint
Execution
Trigger POP gadget chain on unserialize
Persist
Achieve code execution or file write
Impact
Full site compromise

Vulnerability AssessmentAI

Exploitation The core condition is that attacker-controlled input reaches an unsafe deserialization (unserialize) sink within the rt18-extensions plugin on a site running RT-Theme 18 | Extensions version 2.5 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker crafts a serialized PHP object payload targeting a gadget chain available in the WordPress installation and submits it to the vulnerable rt18-extensions input over the network (AV:N/AC:L/PR:N/UI:N). When the plugin deserializes the data, the injected object's magic methods fire, potentially leading to arbitrary file write, SQL manipulation, or code execution and full site takeover. …
Remediation No vendor-released patched version is identified in the available data - the affected range is 'through <= 2.5' with no fixed version stated, so administrators should monitor the vendor (stmcan) and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-php-object-injection-vulnerability) for a release above 2.5 and update as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable the rt18-extensions plugin on all WordPress instances and review access logs for potential exploitation attempts targeting the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy