Description
Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in WordPress Micdrop Theme versions 1.3.1 and earlier allows an attacker to inject malicious objects through serialized data. This vulnerability, classified as CWE-502, can lead to full remote code execution on the affected site, compromising confidentiality, integrity, and availability of the web application and potentially the underlying server environment.

Affected Systems

The vulnerability affects the Micdrop Theme published by Select‑Themes. All users running Micdrop versions 1.3.1 or older are impacted. The recommended fix is to upgrade to Micdrop 1.4 or later, which contains the necessary patch.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% shows a low likelihood of exploitation observed in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote exploitation via crafted serialized input from an unauthenticated user, which can be supplied through various WordPress interfaces that accept serialized data. If exploited, the attacker gains the privileges of the web server process and can execute arbitrary PHP code, delete or modify data, and pivot to other parts of the infrastructure.

Generated by OpenCVE AI on June 17, 2026 at 19:35 UTC.

Remediation

Vendor Solution

Update the WordPress Micdrop Theme to the latest available version (at least 1.4).


OpenCVE Recommended Actions

  • Apply the latest Micdrop Theme (version 1.4 or newer) to remove the vulnerability.
  • Restrict write permissions on the theme's directory so that the web server cannot alter or replace theme files, preventing accidental reintroduction of the flaw.
  • Inspect the theme code for any remaining unserialize() calls on user‑provided data and replace them with safer alternatives such as json_decode(), or apply a whitelist of allowed classes before unserializing.

Generated by OpenCVE AI on June 17, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes micdrop
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes micdrop
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Title WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Micdrop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:39:26.132Z

Reserved: 2026-04-07T10:48:38.855Z

Link: CVE-2026-39580

cve-icon Vulnrichment

Updated: 2026-06-17T10:39:21.570Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data