Description
Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PressMart theme versions 1.2.26 and earlier contain an unauthenticated PHP Object Injection flaw. The vulnerability allows an attacker to inject a specially crafted serialized payload through the theme’s processing logic, which can result in the instantiation of arbitrary PHP objects. This leads to potential code execution, data tampering or disclosure, and compromise of the WordPress site’s confidentiality, integrity, and availability.

Affected Systems

The flaw affects only WordPress sites utilizing the PressLayouts:PressMart theme, versions 1.2.26 or earlier. Users who have not updated the theme are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the lack of an EPSS score makes it unclear how frequently exploit attempts occur; the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is an unauthenticated web request that delivers a malicious serialized object to the theme’s entry point. Once executed, the attacker could gain arbitrary code execution on the server.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Remediation

Vendor Solution

Update the WordPress PressMart Theme to the latest available version (at least 1.2.27).


OpenCVE Recommended Actions

  • Update the PressMart theme to version 1.2.27 or newer to remove the vulnerable unserialize logic.
  • Remove or sanitize any custom code that performs unserialize on external data within the theme or site.
  • Deploy a web application firewall rule to block or restrict payloads containing serialized PHP objects and ensure proper input validation.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Presslayouts
Presslayouts pressmart
Wordpress
Wordpress wordpress
Vendors & Products Presslayouts
Presslayouts pressmart
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.
Title WordPress PressMart theme <= 1.2.26 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Presslayouts Pressmart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:28:22.538Z

Reserved: 2026-04-07T08:24:32.861Z

Link: CVE-2026-39442

cve-icon Vulnrichment

Updated: 2026-06-17T14:26:13.567Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data