Description
Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic PHP Object Injection flaw in the Select‑Themes Manufaktur Solutions WordPress theme, version 1.1.1 and earlier. Because the theme does not properly sanitize or restrict the classes that can be deserialized, an attacker can craft a payload that instantiates arbitrary PHP objects. Executing such code can lead to arbitrary code execution on the web server, giving the attacker full control over the site.

Affected Systems

Any WordPress installation that has the Manufaktur Solutions theme (Select‑Themes) installed at a version older than 1.2 is affected. This includes sites using the default theme, gallery, or ecommerce components that rely on the theme's PHP scripts.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating a high severity. The EPSS score is not available, and the flaw is not listed in CISA's KEV catalog. Because authentication is not required and the flaw depends on deserialization in a public theme file, an attacker can target the site via any HTTP request that triggers the vulnerable code. Exploitation is straightforward for an attacker familiar with PHP Object Injection, making the risk high for any exposed WordPress site using the affected theme.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Remediation

Vendor Solution

Update the WordPress Manufaktur Solutions Theme to the latest available version (at least 1.2).


OpenCVE Recommended Actions

  • Update the Manufaktur Solutions Theme to version 1.2 or later from the official theme repository.
  • After updating, reinstall the theme files from the original source to ensure no tampered code remains and verify the file integrity using checksums or a plugin.
  • As a temporary barrier, switch the site to a default WordPress theme until the update is confirmed, or completely uninstall the vulnerable theme if immediate restoration is required.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes manufaktur Solutions
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes manufaktur Solutions
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions.
Title WordPress Manufaktur Solutions theme <= 1.1.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Manufaktur Solutions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:38:11.201Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40752

cve-icon Vulnrichment

Updated: 2026-06-17T15:38:03.849Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:43Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data