Description
Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection that allows an attacker to instantiate malicious PHP objects when using the Alloggio – Hotel Booking theme in WordPress versions <= 2.1.2. This flaw is classified as CWE‑502 and, if exploited, could lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

Affected are installations of the WordPress Alloggio – Hotel Booking theme provided by Edge‑Themes, specifically all releases up to and including version 2.1.2. The vulnerability remains present in those and earlier minor releases of the theme and has been addressed in the 2.1.3 release.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of fewer than 1 % suggests a currently low probability of exploitation. The flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can target the vulnerability remotely through the site’s web interface without needing prior authentication, making the risk high for exposed WordPress installations that still use the vulnerable theme. Formal monitoring or patching is recommended to mitigate the threat.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Remediation

Vendor Solution

Update the WordPress Alloggio - Hotel Booking Theme to the latest available version (at least 2.1.3).


OpenCVE Recommended Actions

  • Update the Alloggio – Hotel Booking theme to version 2.1.3 or newer to eliminate the vulnerability.
  • Remove or rename any legacy files from the old 2.1.2 installation to prevent accidental use of the vulnerable code path.
  • If an immediate update is not possible, temporarily disable the theme or block public access to its PHP entry points until the patch can be applied.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes alloggio Hotel Booking
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes alloggio Hotel Booking
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.
Title WordPress Alloggio - Hotel Booking theme <= 2.1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Alloggio Hotel Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:41:49.390Z

Reserved: 2026-04-07T10:48:15.448Z

Link: CVE-2026-39539

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:44.828Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:45:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data