Description
Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection.

This issue affects Aperitif: from n/a through 1.6.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the Aperitif theme allows malicious actors to inject crafted PHP object instances, potentially enabling remote code execution or other severe actions against the affected WordPress site. The vulnerability employs the Object Injection weakness (CWE-502) and can be triggered when an attacker supplies serialized input that the theme processes without proper validation. The effect of a successful exploitation would likely be full compromise of the web application, including data disclosure, modification, or defacement.

Affected Systems

The vulnerability impacts the WordPress Aperitif theme from Elated‑Themes, through all versions up to and including 1.6. No specific sub‑versions within that range are excluded; users on 1.5.x or earlier are also affected.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. An EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploitation yet. Nevertheless, the availability of the vulnerability and its high potential impact make timely mitigation critical. Attackers can exploit the weakness by submitting serialized data via the theme’s data handling processes, which, if unfiltered, may lead to code execution or other malicious actions.

Generated by OpenCVE AI on June 2, 2026 at 12:21 UTC.

Remediation

Vendor Solution

Update the WordPress Aperitif Theme to the latest available version (at least 1.6.1).

OpenCVE Recommended Actions

  • Update the Aperitif theme to version 1.6.1 or later, which removes the vulnerable deserialization code.
  • If an update cannot be applied immediately, temporarily disable the Aperitif theme and revert to a default or previously known safe theme to prevent exploitation.
  • Review the site’s code to ensure that any remaining serialized data handling is sanitized and that no untrusted input is deserialized; apply hard‑coded restrictions or input validation as needed to mitigate similar future risks.

Generated by OpenCVE AI on June 2, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elated-Themes Aperitif allows Object Injection. This issue affects Aperitif: from n/a through 1.6.
Title WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T12:10:24.306Z

Reserved: 2026-04-07T10:48:21.622Z

Link: CVE-2026-39550

cve-icon Vulnrichment

Updated: 2026-06-02T12:10:19.180Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T12:16:17.247

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-39550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses