Description
Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unauthenticated PHP Object Injection (CWE‑502) in the Elated‑Themes Fidalgo theme up to version 1.2.2. The theme performs unsafe PHP unserialization on user input, enabling an attacker to craft a serialized object that is deserialized and executed by the server. This leads to full control of the affected WordPress site, allowing reading, modification, deletion of content, injection of malware, or lateral movement.

Affected Systems

WordPress sites that use the Elated‑Themes Fidalgo theme version 1.2.2 or earlier are affected. Any installation still running one of these versions falls within the risk envelope until the theme is upgraded.

Risk and Exploitability

The CVSS score of 8.1 signals significant impact and remote exploitation potential. The EPSS score is below 1 %, suggesting low current exploitation activity, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated request that sends crafted serialized data to the theme’s unserialize handling code.

Generated by OpenCVE AI on June 17, 2026 at 20:36 UTC.

Remediation

Vendor Solution

Update the WordPress Fidalgo Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Update the WordPress Fidalgo Theme to version 1.3 or newer.
  • Disable or remove any calls to unserialize() in the theme’s code, or switch to a non‑vulnerable theme until the update is applied.
  • Implement input validation to reject unexpected serialized data before it reaches unserialize() functions and monitor logs for suspicious attempts.

Generated by OpenCVE AI on June 17, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes fidalgo
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes fidalgo
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.
Title WordPress Fidalgo theme <= 1.2.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Fidalgo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:40:54.376Z

Reserved: 2026-04-07T10:48:26.892Z

Link: CVE-2026-39554

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:47.110Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:11Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data