How is CVE-2026-39481 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): Exploitation requires a high-privilege (admin-level) account; a low-privilege or unauthenticated request is not sufficient to trigger the injection. Victim interaction (not-required): The attacker does not need to trick or involve any other user to carry out the attack once admin credentials are available. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

What is the impact of CVE-2026-39481?

Reads any file accessible to the web server process, including WordPress configuration files containing database credentials. Modifies or deletes database rows, post content, user accounts, and plugin configuration stored on the site. Executes arbitrary code on the host by deserializing a crafted PHP object that chains to a file-write or system-call gadget in the PHP environment. Fully compromises the underlying server, enabling installation of backdoors or use of the host as a pivot point within the same network segment.

Back to search

HIGHCVE-2026-39481Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39481: WordPress Modula Image Gallery plugin <= 2.14.18 - PHP Object Injection vulnerability

Q: What is CVE-2026-39481?

PHP Object Injection vulnerability in the Modula Image Gallery WordPress plugin affects all versions up to and including 2.14.18. The flaw is reachable over the network but requires a high-privilege (administrator-level) account, meaning an attacker must first obtain admin credentials before reaching the vulnerable code path. Successful exploitation allows the attacker to read, modify, or delete data and fully compromise the affected WordPress host. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix version is released.

Q: Is CVE-2026-39481 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Chill publishes a remediated release. For customers who opt into auto-remediation, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.

Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection vulnerability in the Modula Image Gallery WordPress plugin affects all versions up to and including 2.14.18. The flaw is reachable over the network but requires a high-privilege (administrator-level) account, meaning an attacker must first obtain admin credentials before reaching the vulnerable code path. Successful exploitation allows the attacker to read, modify, or delete data and fully compromise the affected WordPress host. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-39481 is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle this plugin.

Available

Triage

Triage is available using the CVSS 3.1 score of 7.2 (HIGH), with per-environment compliance policy weighting applied to route findings to the appropriate team inbox inside each customer organization.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WP Chill publishes a remediated release. For customers who opt into auto-remediation, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
Exploitation requires a high-privilege (admin-level) account; a low-privilege or unauthenticated request is not sufficient to trigger the injection.
Victim interactionNot required
The attacker does not need to trick or involve any other user to carry out the attack once admin credentials are available.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

Reads any file accessible to the web server process, including WordPress configuration files containing database credentials.
Modifies or deletes database rows, post content, user accounts, and plugin configuration stored on the site.
Executes arbitrary code on the host by deserializing a crafted PHP object that chains to a file-write or system-call gadget in the PHP environment.
Fully compromises the underlying server, enabling installation of backdoors or use of the host as a pivot point within the same network segment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39481, the platform monitors the Patchstack advisory and the WP Chill release feed on every ingest cycle and will surface a patched-image rebuild option the moment a fix version is published. In the interim, customers can apply compensating controls: network-policy rules that restrict wp-admin access to known IP ranges, web application firewall rules that reject serialized PHP payloads in POST bodies targeting the Modula plugin's admin endpoints, and feature-flag or plugin-deactivation gating in staging pipelines to prevent the affected plugin from being promoted to production. For customers who opt into auto-remediation, once a fix version is available the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps. Severity routing is active now, so the finding is already eligible to flow to the appropriate team inbox under each customer's compliance policy.

See how HarborGuard automates this

Affected packages

WP Chill / Modula Image Gallery
≤ 2.14.18

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified