Description
Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Elementra WordPress theme versions 1.0.9 and earlier expose an unauthenticated PHP Object Injection flaw that allows an attacker to manipulate serialized data and instantiate arbitrary PHP objects. This vulnerability, identified as CWE-502, gives the attacker the ability to execute arbitrary code on the host, potentially leading to full compromise of confidentiality, integrity, and availability of the website and its underlying infrastructure.

Affected Systems

ThemeREX Group’s Elementra WordPress theme, any installation running version 1.0.9 or earlier, is affected. The vulnerability applies to the theme regardless of other plugins or core WordPress versions, as it relies on the theme’s own unserialize implementation.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is considered critical. The EPSS score of less than 1% indicates a low probability of immediate exploitation, and the vulnerability is not yet listed on the CISA KEV catalog. Nonetheless, the lack of authentication requirements means an attacker can craft a malicious request to any public site employing the vulnerable theme, enabling full remote code execution. The risk remains high until a patch is applied or the theme is removed.

Generated by OpenCVE AI on June 17, 2026 at 19:38 UTC.

Remediation

Vendor Solution

Update the WordPress Elementra Theme to the latest available version (at least 1.1.0).


OpenCVE Recommended Actions

  • Update the Elementra theme to version 1.1.0 or later, as released by ThemeREX Group.
  • If an immediate update is not possible, disable the Elementra theme or delete it from the site to prevent exploitation.
  • Apply standard WordPress hardening practices: enable a web application firewall, restrict administrative access, and monitor for anomalous PHP traffic while awaiting a definitive fix.

Generated by OpenCVE AI on June 17, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex Group
Themerex Group elementra
Wordpress
Wordpress wordpress
Vendors & Products Themerex Group
Themerex Group elementra
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
Title WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Group Elementra
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:42:02.825Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39529

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:58.224Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:29Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data