Description
Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection is present in WordPress AI Lab theme versions below 5.4.2. This flaw allows an attacker to instantiate arbitrary objects through crafted input, which can trigger malicious code execution or manipulation of application state. The weakness is identified as CWE‑502 and can be leveraged to compromise the WordPress installation and the data it manages.

Affected Systems

The affected product is the WordPress AI Lab theme from jwsthemes. Versions lower than 5.4.2 are vulnerable; the patch is available starting at 5.4.2.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and while the EPSS data is absent, the lack of authentication requirements and the high score suggest a significant exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog, but its potential impact warrants immediate attention. Attackers can exploit the flaw through unauthenticated requests to the theme’s endpoints or by manipulating query parameters, making it broadly exploitable over the internet.

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Remediation

Vendor Solution

Update the WordPress AI Lab Theme to the latest available version (at least 5.4.2).


OpenCVE Recommended Actions

  • Update the AI Lab theme to version 5.4.2 or later
  • Disable or uninstall the AI Lab theme if it is not needed
  • Ensure the WordPress core, all plugins, and remaining themes are up to date to reduce overall attack surface

Generated by OpenCVE AI on June 18, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Jwsthemes
Jwsthemes ai Lab
Wordpress
Wordpress wordpress
Vendors & Products Jwsthemes
Jwsthemes ai Lab
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.
Title WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Jwsthemes Ai Lab
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:20:04.529Z

Reserved: 2026-04-27T08:22:05.095Z

Link: CVE-2026-42380

cve-icon Vulnrichment

Updated: 2026-06-17T12:19:59.542Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:05Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data