Description
Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection is present in NeoBeat theme versions 1.7 or earlier. The flaw arises from deserializing untrusted user input without proper validation, a classic CWE‑502. When exploited, arbitrary object data can be injected, potentially allowing an attacker to run arbitrary PHP code on the server. The description does not specify the exact outcome, but based on PHP Object Injection mechanics it is inferred that an attacker could gain complete control over the WordPress site and manipulate or steal site data.

Affected Systems

WordPress installations that employ the NeoBeat theme from Elated‑Themes at version 1.7 or below are affected. All newer releases, starting with 1.8, contain the fix. The theme is usually deployed as a child theme or through the WordPress theme repository.

Risk and Exploitability

CVSS score of 8.1 signals high severity. EPSS score below 1% indicates that the vulnerability has not yet been widely exploited in the wild. The flaw does not require authentication and appears to be reachable via the public web interface; this inference is drawn from the description of an unauthenticated PHP Object Injection. Although the vulnerability is not listed in the CISA KEV catalog, sites with the vulnerable theme remain at risk until they upgrade.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Remediation

Vendor Solution

Update the WordPress NeoBeat Theme to the latest available version (at least 1.8).


OpenCVE Recommended Actions

  • Upgrade the NeoBeat theme to version 1.8 or later, which removes the PHP Object Injection flaw.
  • Delete any legacy NeoBeat directories or files from earlier versions to prevent accidental use of vulnerable code.
  • Audit other plugins or custom code for usage of PHP unserialize or related functions, and either disable them or ensure they operate on trusted data only.

Generated by OpenCVE AI on June 17, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes neobeat
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes neobeat
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in NeoBeat <= 1.7 versions.
Title WordPress NeoBeat theme <= 1.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Neobeat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:40:37.891Z

Reserved: 2026-04-07T10:48:26.892Z

Link: CVE-2026-39557

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:32.840Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:45:10Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data