Description
Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection.

This issue affects The Hospital: from n/a through 1.8.1.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in the EMV The Hospital WordPress theme. An attacker providing crafted serialized input can coerce the theme into creating arbitrary PHP objects, leading to execution of malicious code on the server. The weakness corresponds to CWE-502, which can compromise confidentiality, integrity, and availability of the affected website.

Affected Systems

EMV The Hospital theme for WordPress, version 1.8.1 or earlier, including all releases from the initial release through 1.8.1.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. Although the EPSS score is not available, the high CVSS suggests that exploitation is likely if the vulnerability is discovered. The theme is not listed in the CISA KEV catalog, but the flaw could be targeted by attackers who control input that is deserialized, such as query strings, POST data, or WordPress metadata. The attack vector is inferred to be remote exploitation via crafted serialized data, potentially allowing full remote code execution on the hosted site.

Generated by OpenCVE AI on June 18, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EMV The Hospital theme to version 1.8.2 or later, which removes the unsafe unserialize usage.
  • If an upgrade is not immediately possible, remove or replace any calls to PHP's unserialize in the theme’s source code with safer, whitelist‑based deserialization or avoid deserialization of untrusted data entirely.
  • Apply additional security controls such as a web application firewall or a content security policy that blocks the execution of unknown code and monitor for suspicious serialized payloads in HTTP requests.

Generated by OpenCVE AI on June 18, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Emv
Emv the Hospital
Wordpress
Wordpress wordpress
Vendors & Products Emv
Emv the Hospital
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.
Title WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Emv The Hospital
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T13:59:29.056Z

Reserved: 2025-09-25T15:34:39.168Z

Link: CVE-2025-60231

cve-icon Vulnrichment

Updated: 2026-06-17T13:59:24.869Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:34Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data