Description
Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in the WordPress Zermatt Theme allows an attacker to deserialize crafted data and create arbitrary PHP objects, which can lead to remote code execution, data leakage, or manipulation of site content. The weakness is documented as CWE‑502, indicating an unsafe handling of serialized data.

Affected Systems

The vulnerability affects all releases of the Select‑Themes Zermatt WordPress theme with a version number of 1.6.1 or older. Updating the theme to version 1.7 or later removes the flaw.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity. Because the flaw is unauthenticated, an attacker may be able to deliver malicious serialized payloads through any endpoint that the theme processes. Based on the description, it is inferred that such an attack vector exists remotely, though the Exact EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, which suggests the likelihood of exploitation depends largely on the presence of an accessible entry point.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Update the WordPress Zermatt Theme to the latest available version (at least 1.7).


OpenCVE Recommended Actions

  • Update the Zermatt Theme to version 1.7 or later.
  • If an immediate update is not possible, deactivate or uninstall the Zermatt Theme to stop the vulnerable code from running.
  • Remove or sanitize any custom code or plugins that use unserialize to avoid executing malicious payloads.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes zermatt
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes zermatt
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.
Title WordPress Zermatt theme <= 1.6.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Zermatt
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:24.913Z

Reserved: 2026-04-07T10:48:21.621Z

Link: CVE-2026-39545

cve-icon Vulnrichment

Updated: 2026-06-17T13:36:34.972Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:28Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data