Description
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection.

This issue affects Töbel: from n/a through 1.8.1.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw in the Elated-Themes Töbel WordPress theme. An attacker can supply a crafted payload that is unserialized by the theme, leading to PHP object injection. This flaw allows the attacker to create arbitrary PHP objects, which can result in the execution of malicious code, complete compromise of site confidentiality, integrity, and availability.

Affected Systems

WordPress sites using the Töbel theme with versions up to and including 1.8.1 are affected. Versions 1.9 and later contain the fix. Any site that has not yet upgraded to at least 1.9 remains vulnerable.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is considered high severity. The EPSS score is not available, but the lack of a current exploit listing in the CISA KEV catalog suggests it has not yet been widely used in the wild. The attack vector is inferred to be remote, requiring an attacker to supply malicious serialized data to the theme. An attacker could achieve remote code execution by injecting PHP objects that invoke magical methods during unserialization. The vulnerability remains high risk until the theme is updated.

Generated by OpenCVE AI on June 2, 2026 at 12:21 UTC.

Remediation

Vendor Solution

Update the WordPress Töbel Theme to the latest available version (at least 1.9).

OpenCVE Recommended Actions

  • Upgrade the Töbel theme to at least version 1.9 to apply the vendor’s fix
  • Re‑distribute the theme under a stricter serialization policy and avoid using PHP’s built‑in unserialize on untrusted input
  • Disable or restrict any plugin or custom code that passes external data into the theme’s serialization routines

Generated by OpenCVE AI on June 2, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1.
Title WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T12:10:10.110Z

Reserved: 2026-04-07T10:48:21.622Z

Link: CVE-2026-39551

cve-icon Vulnrichment

Updated: 2026-06-02T12:10:01.722Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T12:16:17.377

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-39551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses