Description
Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SingleMalt theme through version 1.5 contains an unauthenticated PHP Object Injection flaw. The vulnerability allows an attacker to craft a request that triggers PHP’s unserialize function on data supplied by the attacker, leading to arbitrary code execution. The weakness falls under CWE‑502 and can compromise the confidentiality, integrity, and availability of the host system and any data stored by the WordPress installation.

Affected Systems

The flaw affects installations of the Elated‑Themes SingleMalt WordPress theme that are version 1.5 or earlier. No specific minor versions are listed, so all releases up to and including 1.5 are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score is not available, but the lack of a KEV listing does not reduce the risk; attackers can exploit the flaw remotely through HTTP requests that include serialized payloads. The vulnerability is unauthenticated, so any user can target the affected site without needing credentials. Given the high CVSS score and the nature of remote code execution, the risk is considerable and the exploitability is high.

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Remediation

Vendor Solution

Update the WordPress SingleMalt Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Update the SingleMalt theme to version 1.6 or later, which removes the vulnerable code
  • If immediate upgrade is not possible, disable PHP unserialize functions in your theme or in the target WordPress installation to prevent exploitation
  • Restrict direct theme file access and disable theme editing from the WordPress dashboard to limit potential attack vectors

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes singlemalt
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes singlemalt
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.
Title WordPress SingleMalt theme <= 1.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Singlemalt
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:25:17.856Z

Reserved: 2026-04-07T10:48:38.855Z

Link: CVE-2026-39576

cve-icon Vulnrichment

Updated: 2026-06-17T14:25:12.450Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:24Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data