Description
Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Valiance theme versions up to 1.2 contain an unauthenticated PHP Object Injection flaw that allows the creation of arbitrary PHP objects, potentially giving an attacker the ability to execute unsanitized PHP code on the WordPress site. The weakness is classified as CWE‐502.

Affected Systems

The flaw affects any WordPress site that uses the Elated‑Themes Valiance theme at version 1.2 or earlier. Sites that have not upgraded to 1.3 or a later release are at risk.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is rated high severity, yet the EPSS score is below 1 %, indicating a low probability of exploitation at present. The site is not listed in the CISA KEV catalog. Because no authentication is required, an attacker is likely able to craft a malicious request that triggers the object injection. The combination of a critical weakness and the lack of required credentials suggests a moderate to high risk if the theme remains unpatched.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Remediation

Vendor Solution

Update the WordPress Valiance Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Update the Valiance theme to version 1.3 or newer to eliminate the flaw.
  • If an immediate update is not possible, replace the Valiance theme with a secure alternative or disable the theme entirely to prevent exploitation.
  • Conduct a security assessment of the WordPress installation to ensure that no vulnerable serialized payloads remain exposed in theme files or the database.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes valiance
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes valiance
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.
Title WordPress Valiance theme <= 1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

Elated-themes Valiance
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:39:39.567Z

Reserved: 2026-04-07T10:48:38.855Z

Link: CVE-2026-39578

cve-icon Vulnrichment

Updated: 2026-06-17T10:39:35.001Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data