Description
Unauthenticated PHP Object Injection in Konsept <= 1.9 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw is present in WordPress Konsept theme versions 1.9 and earlier. The weakness allows an attacker to send specially crafted serialized PHP data to the theme, causing PHP's deserialization to instantiate objects controlled by the attacker. This can lead to remote code execution or other destructive operations on the affected WordPress site. The flaw is classified as CWE‑502 and carries a CVSS score of 8.1, indicating a high level of severity.

Affected Systems

The vulnerability affects sites that use the Elated‑Themes:Konsept WordPress theme installed in version 1.9 or earlier. No further platform specifics are provided, and the issue is limited to the theme itself.

Risk and Exploitability

With a CVSS score of 8.1 and no EPSS data available, the risk is high and the vulnerability is not yet listed in CISA KEV. Attackers can exploit this flaw through publicly accessible HTTP requests to the WordPress installation, without requiring authentication. The absence of mitigations in older theme releases means adversaries can likely achieve high‑impact objectives once the flaw is verified.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Remediation

Vendor Solution

Update the WordPress Konsept Theme to the latest available version (at least 2.0).


OpenCVE Recommended Actions

  • Upgrade the Konsept theme to version 2.0 or later, which resolves the deserialization handling.
  • If an upgrade cannot be performed immediately, disable or remove the old Konsept theme to eliminate the attack surface.
  • Deploy a web application firewall or security plugin to block or sanitize serialized PHP payloads during the upgrade process.

Generated by OpenCVE AI on June 18, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes konsept
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes konsept
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Konsept <= 1.9 versions.
Title WordPress Konsept theme <= 1.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Konsept
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:41:01.979Z

Reserved: 2026-04-07T10:48:26.892Z

Link: CVE-2026-39556

cve-icon Vulnrichment

Updated: 2026-06-17T14:40:58.697Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:28Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data