Description
Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection.

This issue affects Askka: from n/a through 1.3.1.
Published: 2026-06-02
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Askka WordPress theme up to version 1.3.1 contains a PHP Object Injection flaw that arises when the theme deserializes untrusted serialized data. This weakness allows an attacker to construct malicious serialized payloads that the PHP runtime interprets, potentially leading to arbitrary code execution. The CVE description does not specify the exact outcome of such an exploitation, so the extent of damage is inferred from the typical behavior of PHP object injection and is not guaranteed by the data provided.

Affected Systems

The vulnerability affects the Elated‑Themes Askka WordPress theme in all releases through 1.3.1. Any WordPress installation that has this theme active or scheduled to be activated is potentially exposed.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity. An EPSS score has not been published, and the issue is not listed in the CISA KEV catalog. Exploitation would likely require a crafted web request that reaches the theme’s deserialization logic, which is normally available to any visitor of the public WordPress site. Based on common exploitation patterns for PHP object injection, remote code execution could be possible, though the CVE itself does not confirm that outcome.

Generated by OpenCVE AI on June 2, 2026 at 15:52 UTC.

Remediation

Vendor Solution

Update the WordPress Askka Theme to the latest available version (at least 1.4).

OpenCVE Recommended Actions

  • Upgrade the Askka Theme to version 1.4 or later, which removes the vulnerable deserialization code.
  • If an upgrade is not immediately possible, deactivate or uninstall the Askka Theme to prevent the execution of the vulnerable code paths.
  • Add input validation to any data that may be passed to PHP’s unserialize() function, ensuring only trusted and properly formatted data is processed.

Generated by OpenCVE AI on June 2, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes askka
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes askka
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.
Title WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elated-themes Askka
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T15:20:20.171Z

Reserved: 2026-04-07T10:48:26.892Z

Link: CVE-2026-39555

cve-icon Vulnrichment

Updated: 2026-06-02T15:20:15.996Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:52.337

Modified: 2026-06-02T14:43:49.920

Link: CVE-2026-39555

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:00:17Z

Weaknesses