Description
Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw present in EasyMeals theme versions 1.5.1 and earlier. The theme deserializes data that can be supplied by an unauthenticated user, a weakness characterized by CWE‑502. When an attacker supplies a crafted serialized object, the unserialize() call can instantiate arbitrary PHP objects, potentially allowing the attacker to execute code, modify server files, or otherwise compromise the application. The primary impact is the possibility of remote code execution, which can lead to complete compromise of the WordPress site, data theft, defacement, or the installation of malware. The vulnerability permits exploitation without the need for login credentials, relying only on the unfiltered input accepted by the theme.

Affected Systems

The affected product is the Mikado‑Themes EasyMeals WordPress theme. Versions 1.5.1 and all earlier releases are vulnerable. Administrators should review the theme version deployed on their sites and determine whether it matches the safe version 1.6 or higher.

Risk and Exploitability

The CVSS score of 8.1 places this flaw in the high‑severity range, indicating significant impact if exploited. EPSS availability is not provided, so the current likelihood of exploitation remains unknown, but the lack of KEV listing suggests no widespread exploitation reported yet. Nonetheless, because the attack requires no authentication and leverages a built‑in unserialize call, the practical exploitation window is large. Site owners should treat this as a high‑risk vulnerability and address it urgently, as the potential for remote code execution is well documented for similar injection flaws.

Generated by OpenCVE AI on June 18, 2026 at 12:14 UTC.

Remediation

Vendor Solution

Update the WordPress EasyMeals Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Upgrade the EasyMeals theme to version 1.6 or newer, as the updated release removes the insecure unserialize functionality.
  • Patch or refactor any existing unsanitized unserialize() calls within the theme by validating input or replacing them with safer deserialization methods such as json_decode. This directly mitigates the CWE‑502 weakness.
  • Implement application‑level input filtering or utilize Web Application Firewall rules that detect and block malformed serialized payloads to provide a temporary containment strategy while the theme is updated.

Generated by OpenCVE AI on June 18, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes easymeals
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes easymeals
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in EasyMeals <= 1.5.1 versions.
Title WordPress EasyMeals theme <= 1.5.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Easymeals
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:35:37.952Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40753

cve-icon Vulnrichment

Updated: 2026-06-17T14:35:29.901Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:10Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data