Description
Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw that allows a remote attacker to insert malicious object instances into the application’s deserialization process. Because the flaw resides in the deserialization logic, a crafted payload can lead to arbitrary code execution on the server. The weakness aligns with CWE‑502, deserialization of untrusted data, which is a high‑severity vulnerability that can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The Edge‑Themes Laurits WordPress theme, versions 1.5.1 and earlier, is affected. Any WordPress installation that has this theme installed and active potentially exposes the flaw, regardless of the WordPress core version. Users of the theme should verify that they are running a version newer than 1.5.1.

Risk and Exploitability

The CVSS score of 8.1 indicates a high likelihood of exploitation if permitted. The EPSS score of less than 1% suggests that, at present, this vulnerability is not widely exploited, but the presence of an unauthenticated vector removes the need for credentials. The vulnerability is not listed in CISA’s KEV catalog, but the potential for remote code execution warrants prompt action. An attacker can exploit the system by submitting a specially crafted request that triggers deserialization of an injected object, which can execute arbitrary code on the server.

Generated by OpenCVE AI on June 17, 2026 at 19:35 UTC.

Remediation

Vendor Solution

Update the WordPress Laurits Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Update the Laurits theme to version 1.6 or later.
  • If an immediate update is not possible, deactivate or remove the Laurits theme from all sites and switch to a non‑vulnerable theme.
  • After upgrading or removing the theme, verify that the former theme files are no longer accessible and that file permissions restrict external access to PHP files.

Generated by OpenCVE AI on June 17, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes laurits
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes laurits
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Title WordPress Laurits theme <= 1.5.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Laurits
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:39:12.697Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40736

cve-icon Vulnrichment

Updated: 2026-06-17T10:39:08.099Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:26Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data