Description
Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw exists in the Edge-Themes Valeska WordPress theme (versions up to 1.2.2). The flaw allows an attacker to supply malicious serialized data that is unserialized by the theme, potentially leading to the instantiation of unexpected objects and the execution of arbitrary PHP code. This could compromise the confidentiality, integrity, and availability of the affected WordPress site, possibly giving the attacker remote control over the server.

Affected Systems

The vulnerability impacts the Edge‑Themes Valeska WordPress theme versions 1.0 through 1.2.2. Users running these versions must consider updating to the patched release or applying a workaround to mitigate the risk.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity. However, the EPSS score of less than 1 % suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is unauthenticated, implying that an attacker can trigger the flaw via any web request that reaches the vulnerable code. Successful exploitation requires that the attacker be able to inject serialized data into a parameter that the theme unserializes without proper validation.

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Remediation

Vendor Solution

Update the WordPress Valeska Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Update the Valeska theme to version 1.3 or newer.
  • If an update cannot be applied immediately, block or validate any input that may be serialized and accepted by the theme to prevent unauthenticated injection.
  • Verify that no other plugins or custom code on the site uses PHP’s unserialize on untrusted data and apply appropriate input sanitation to all such user‑supplied inputs.

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes valeska
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes valeska
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Title WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Valeska
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:37:18.941Z

Reserved: 2026-04-15T09:20:32.456Z

Link: CVE-2026-40761

cve-icon Vulnrichment

Updated: 2026-06-17T10:37:13.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:22Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data