Description
Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw in any installation of the Select‑Themes Santé WordPress theme version 1.5.1 or earlier. By manipulating a serialized object that is passed to PHP’s unserialize function, an attacker can execute arbitrary PHP code on the server, leading to a compromise of confidentiality, integrity, and availability for the WordPress site and potentially the underlying web server. The weakness is identified as CWE‑502, improper deserialization of untrusted data.

Affected Systems

This issue affects WordPress sites that have the Santé theme 1.5.1 or older installed. The developer released an updated theme version 1.6 that removes the problematic deserialization logic. Sites that cannot immediately upgrade must avoid using the vulnerable theme, as it is the sole entry point for exploitation.

Risk and Exploitability

The CVSS score of 8.1 highlights the severity of this flaw, while the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation at the time of this analysis. The vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw by sending a crafted HTTP request containing a malicious serialized object to a network‑accessible WordPress instance that loads the vulnerable theme, causing the unserialize path to be executed. Based on the description, it is inferred that the attack vector is remote network‑based exploitation of PHP deserialization logic.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Remediation

Vendor Solution

Update the WordPress Santé Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Upgrade the WordPress Santé Theme to version 1.6 or later, which removes the vulnerable deserialization logic.
  • Eliminate or sanitize any custom code or third‑party plugins that perform unserialize on untrusted data.
  • If an upgrade cannot be performed immediately, disable the Santé theme, replace it with a secure alternative, and restrict administrative access while preparing the update.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes santé
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes santé
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.
Title WordPress Santé theme <= 1.5.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Santé
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:40:23.967Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39567

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:18.906Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:09Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data