Description
Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw exists in the Roisin theme version 1.4 and earlier for WordPress. The vulnerability allows an attacker to craft input that is deserialized by the theme code, enabling the instantiation of arbitrary PHP objects. This flaw is a classic example of CWE‑502: Deserialization of Untrusted Data, and can potentially lead to remote code execution, data tampering, or system compromise if the attacker can control object properties and method calls.

Affected Systems

The affected product is the Roisin theme provided by Elated Themes. Versions 1.4 and all earlier releases are vulnerable. Users running any of these versions on a WordPress installation are at risk unless the theme is updated to 1.5 or newer.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests the probability of exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, any user able to submit data that reaches the vulnerable code—likely through a public-facing form or URL parameter—could trigger the injection. Once the attacker injects a crafted payload, PHP object instantiation may execute arbitrary code on the host, giving complete control of the affected WordPress site.

Generated by OpenCVE AI on June 17, 2026 at 18:16 UTC.

Remediation

Vendor Solution

Update the WordPress Roisin Theme to the latest available version (at least 1.5).


OpenCVE Recommended Actions

  • Upgrade the Roisin theme to version 1.5 or newer as recommended by the vendor
  • If an upgrade cannot be performed immediately, remove or replace the Roisin theme with a secure alternative and restrict any remaining plugin or theme files from being stored in public directories
  • Keep all WordPress core files, plugins, and themes up to date, and audit any custom PHP code for unserialization or object instantiation that may expose similar risks

Generated by OpenCVE AI on June 17, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes roisin
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes roisin
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Title WordPress Roisin theme <= 1.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Roisin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:38:30.642Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40754

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:24.974Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:30:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data