Description
Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection in the WordPress Playroom Theme up to version 1 4 1. By crafting serialized PHP objects into a request that is processed by the theme, an attacker can manipulate the object's properties, leading to arbitrary PHP code execution on the server. This falls under CWE‑502, which addresses the improper handling of serialized data and can compromise confidentiality, integrity, and availability if exploited.

Affected Systems

The affected product is the Elated‑Themes Playroom theme for WordPress. Vulnerable configurations run any Playroom version <= 1.4.1. The official recommendation is to update the theme to version 1.5 or newer to eliminate the flaw.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, and the EPSS score of < 1 % shows a very low probability of widespread exploitation at present. It is not listed in the CISA KEV catalog. The flaw is unauthenticated, meaning an attacker can deliver a malicious serialized payload without needing prior access, potentially via a public web request. Exploitation does not require complex prerequisites, so while the likelihood is low, the impact is serious if an adversary initiates the attack.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Remediation

Vendor Solution

Update the WordPress Playroom Theme to the latest available version (at least 1.5).


OpenCVE Recommended Actions

  • Update the Playroom Theme to version 1.5 or later to eliminate the PHP Object Injection flaw.
  • Remove or disable any custom code or plugins that pass user input to the theme’s serialization routines, and verify that no serialized data is processed without proper validation.
  • If an immediate upgrade is not possible, temporarily replace the Playroom Theme with a secure alternative and enforce restrictive file‑system permissions on the theme directory to limit the ability of attackers to modify theme files.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes playroom
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes playroom
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.
Title WordPress Playroom theme <= 1.4.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Elated-themes Playroom
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:39:53.478Z

Reserved: 2026-04-07T10:48:38.855Z

Link: CVE-2026-39577

cve-icon Vulnrichment

Updated: 2026-06-17T10:39:48.444Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:06Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data