Description
Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection exists in the PressLayouts EmallShop theme through version 2.4.21. An attacker can send crafted serialized object data to the WordPress site, potentially causing the application to instantiate arbitrary PHP objects. Because this vulnerability is classified as CWE‑502, it is inferred that the flaw could be exploited to execute arbitrary code on the server, although the description does not explicitly confirm this outcome.

Affected Systems

The issue impacts installations of the PressLayouts EmallShop WordPress theme with versions up to and including 2.4.21. Users running any of these versions should verify the specific release installed and cross‑check it against the affected range.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1 % suggests the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The flaw is unauthenticated, meaning that any remote user capable of sending a crafted request to the site could attempt the injection. While the likelihood of exploitation remains low at present, the potential consequences of successful exploitation are significant.

Generated by OpenCVE AI on June 18, 2026 at 00:06 UTC.

Remediation

Vendor Solution

Update the WordPress EmallShop Theme to the latest available version (at least 2.4.22).


OpenCVE Recommended Actions

  • Update the EmallShop theme to version 2.4.22 or later
  • If an immediate update is not possible, restrict or disable access to the theme’s serialization endpoint by applying authentication or IP filtering to prevent unauthenticated injection attempts
  • Remove or replace the EmallShop theme if it is not required for your site

Generated by OpenCVE AI on June 18, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Presslayouts
Presslayouts emallshop
Wordpress
Wordpress wordpress
Vendors & Products Presslayouts
Presslayouts emallshop
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions.
Title WordPress EmallShop theme <= 2.4.21 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Presslayouts Emallshop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:42:45.232Z

Reserved: 2026-04-07T08:24:32.861Z

Link: CVE-2026-39443

cve-icon Vulnrichment

Updated: 2026-06-17T10:42:39.598Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:31Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data