Description
Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Nifty Theme versions up to 1.4.1 allow an unauthenticated attacker to inject PHP objects. When malicious serialized data is processed by the theme’s PHP code, PHP’s unserialize function instantiates arbitrary objects, which can lead to remote code execution, data tampering or other severe compromise.

Affected Systems

The vulnerability affects BoldThemes’ Nifty WordPress theme, version 1.4.1 and earlier. The vendor has released a remediation in version 1.4.2 on or after the advisory publication.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical high‑risk flaw and the EPSS score of less than 1% shows a low current exploitation probability, but the issue is still not listed in CISA’s KEV catalog. Because the flaw is unauthenticated and relies on PHP deserialization, an attacker can trigger it via any HTTP request that reaches vulnerable code paths within the theme. The impact is full remote code execution on the affected site, potentially compromising the entire web application and underlying server.

Generated by OpenCVE AI on June 17, 2026 at 19:41 UTC.

Remediation

Vendor Solution

Update the WordPress Nifty Theme to the latest available version (at least 1.4.2).


OpenCVE Recommended Actions

  • Upgrade the WordPress Nifty Theme to version 1.4.2 or later.
  • If an upgrade cannot be performed immediately, disable the theme’s exposed endpoints that trigger deserialization by activating a default safe theme until the patch is applied.
  • Implement a Web‑Application Firewall rule or modify the server configuration to reject HTTP requests containing serialized object strings that target the Nifty theme.

Generated by OpenCVE AI on June 17, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Boldthemes
Boldthemes nifty
Wordpress
Wordpress wordpress
Vendors & Products Boldthemes
Boldthemes nifty
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.
Title WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Boldthemes Nifty
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:44:10.061Z

Reserved: 2026-02-19T09:52:32.856Z

Link: CVE-2026-27429

cve-icon Vulnrichment

Updated: 2026-06-17T10:44:03.794Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data