Description
Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated PHP Object Injection flaw in the Alukas WordPress theme. Attackers can supply crafted input that is deserialized by the theme, allowing the creation of arbitrary PHP objects. This can lead to the execution of malicious code, compromising the confidentiality, integrity, and availability of the affected WordPress installation. The CVSS score of 8.1 reflects the severity of this remote code execution risk.

Affected Systems

The flaw affects installations of the PressLayouts Alukas theme for WordPress running any version prior to 3.0.0. Any site that has not yet applied the theme update is potentially vulnerable and should be evaluated for usage of the theme.

Risk and Exploitability

The vulnerability does not require authentication and can be triggered by a user-supplied request that reaches the theme’s serialization logic. While there is no EPSS information available, the high CVSS rating indicates a significant threat. The theme has not been listed in the CISA KEV catalog, but the lack of a mitigation in the active security community adds urgency to applying the vendor‑provided fix. An attacker can exploit the flaw remotely by sending malicious input to the theme’s deserialization endpoint, potentially executing arbitrary PHP code on the server.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Remediation

Vendor Solution

Update the WordPress Alukas Theme to the latest available version (at least 3.0.0).


OpenCVE Recommended Actions

  • Update the Alukas theme to version 3.0.0 or later.
  • Remove or disable any previous theme versions to prevent accidental use of the vulnerable code.
  • Implement a web application firewall rule or input filter that blocks unexpected or malformed serialized data before it reaches the theme code.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Presslayouts
Presslayouts alukas
Wordpress
Wordpress wordpress
Vendors & Products Presslayouts
Presslayouts alukas
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Alukas < 3.0.0 versions.
Title WordPress Alukas theme < 3.0.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Presslayouts Alukas
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:41.651Z

Reserved: 2026-04-07T08:24:32.861Z

Link: CVE-2026-39445

cve-icon Vulnrichment

Updated: 2026-06-17T14:11:09.990Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:48Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data