Description
Subscriber PHP Object Injection in RealHomes <= 4.5.3 versions.
Published: 2026-06-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Subscriber PHP Object Injection allows an attacker to insert a crafted serialized object into the RealHomes theme when a user subscribes, potentially causing the application to unserialize the payload and execute malicious code. This vulnerability falls under CWE-502, the deserialization of untrusted data, and can lead to remote code execution or privilege escalation within the WordPress installation. The impact is severe, as the attacker could gain full control over the compromised site.

Affected Systems

The RealHomes theme version 4.5.3 and earlier from InspiryThemes is affected. Users running these older theme releases on WordPress should verify their version and upgrade when possible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and because the EPSS score is not available, the exploitation probability remains uncertain, but the vulnerability is not yet listed in the C The likely attack vector involves sending a crafted serialized payload through a subscription endpoint, such as the contact form or user registration, which triggers the. If executed, the attacker can induce arbitrary code execution or modify site content, providing a pathway to compromise the entire WordPress environment.

Generated by OpenCVE AI on June 26, 2026 at 17:16 UTC.

Remediation

Vendor Solution

Update the WordPress RealHomes Theme to the latest available version (at least 4.5.4).

OpenCVE Recommended Actions

  • Upgrade the RealHomes theme to version 4.5.4 or later, which removes the vulnerable unserialize call
  • Disallow serialized input in any forms or endpoints by validating and sanitizing input before processing if an upgrade cannot be applied immediately
  • Audit the theme code for remaining unserialize usage and modify or eliminate it, ensuring that only trusted data is deserialized
  • Implement web application firewalls or input filtering rules to block suspicious serialized object strings in HTTP requests

Generated by OpenCVE AI on June 26, 2026 at 17:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Inspirythemes
Inspirythemes realhomes
Wordpress
Wordpress wordpress
Vendors & Products Inspirythemes
Inspirythemes realhomes
Wordpress
Wordpress wordpress

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber PHP Object Injection in RealHomes <= 4.5.3 versions.
Title WordPress RealHomes theme <= 4.5.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Inspirythemes Realhomes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T20:17:51.689Z

Reserved: 2026-06-18T14:38:04.420Z

Link: CVE-2026-56055

cve-icon Vulnrichment

Updated: 2026-06-26T20:17:47.064Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:30:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data