Description
Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw exists in the Thrive Apprentice plugin for WordPress versions prior to 10.8.10.2. The vulnerability allows an attacker to supply malicious serialized data that the plugin deserializes, creating arbitrary PHP objects. This can lead to the execution of arbitrary code, potentially compromising the confidentiality, integrity and availability of the infected site. The flaw is classified as CWE‑502, which denotes deserialization of untrusted data.

Affected Systems

WordPress installations that have the Thrive Apprentice plugin installed with a version older than 10.8.10.2 are affected. The vulnerability applies to any site that loads the plugin, regardless of user role, because authentication is not required to trigger the deserialization logic.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. Although an EPSS score is not publicly available, the lack of a CISA KEV listing does not reduce the risk; the vulnerability remains highly exploitable, especially in environments where the plugin is exposed to the public internet. Likely attack vectors involve unauthenticated HTTP requests that carry crafted serialized objects to the plugin’s deserialization endpoint, a scenario inferred from the description as the attack does not require credentials.

Generated by OpenCVE AI on June 18, 2026 at 12:08 UTC.

Remediation

Vendor Solution

Update the WordPress Thrive Apprentice Plugin to the latest available version (at least 10.8.10.2).


OpenCVE Recommended Actions

  • Update the Thrive Apprentice plugin to version 10.8.10.2 or later.
  • If updating immediately is not feasible, deactivate the plugin on live sites to prevent exploitation.
  • As a short‑term workaround, remove any serialized data processing that the plugin performs from publicly accessible endpoints until the patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 12:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Thrivethemes
Thrivethemes thrive Apprentice
Wordpress
Wordpress wordpress
Vendors & Products Thrivethemes
Thrivethemes thrive Apprentice
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.
Title WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Thrivethemes Thrive Apprentice
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:34:46.211Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49107

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:15:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data