Description
Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw that allows an attacker to manipulate object serialization during processing by the Hiroshi WordPress theme. Because the flaw is not restricted by authentication or input validation, an attacker who can target the thematic code context could forge objects that trigger code execution, potentially leading to arbitrary code execution on the affected WordPress install. The weakness is classified as CWE‑502, indicating an unserialization error that can be abused without user interaction. The impact is the compromise of the entire system hosting the WordPress site, as the injected code runs with the same privileges as the web server.

Affected Systems

WordPress users who installed the Hiroshi theme version 1.5.1 or earlier are affected. The theme is distributed by Select‑Themes under the product name Hiroshi. Users on any operating system or hosting environment that runs the vulnerable theme are at risk, regardless of other plugins or core WordPress version. The only mitigated version is 1.6 and later.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is considered high impact. No EPSS score is available, but because the flaw is unauthenticated and relies on a common PHP un-serialization vulnerability, it is likely that exploits may appear in the wild or in the near future. The vulnerability is not listed in the CISA KEV catalog, yet the lack of a published EPSS value does not reduce the risk that an attacker could craft a payload that takes advantage of the theme’s lack of input validation. The most likely attack vector is a crafted URL or form submission that delivers malicious serialized data to the theme’s processing logic, exploiting the improper handling of object deserialization.

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Remediation

Vendor Solution

Update the WordPress Hiroshi Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Update the Hiroshi theme to version 1.6 or later
  • If updating is not immediately possible, restrict user permissions so that only trusted administrators can upload and activate themes
  • Temporarily disable the theme’s legacy PHP components or any functionality that accepts serialized input until a patch is applied

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes hiroshi
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes hiroshi
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.
Title WordPress Hiroshi theme <= 1.5.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Hiroshi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:37:38.642Z

Reserved: 2026-04-07T10:48:26.893Z

Link: CVE-2026-39560

cve-icon Vulnrichment

Updated: 2026-06-17T15:37:32.517Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:26Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data