CVE-2026-39529: WordPress Elementra theme <= 1.0.9 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Elementra <= 1.0.9 versions.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection is a vulnerability where an attacker sends crafted serialized data to a PHP application, tricking it into instantiating arbitrary objects and potentially executing attacker-controlled code. This critical flaw affects the WordPress Elementra theme (versions 1.0.9 and earlier) and is reachable over the network with no authentication required. Successful exploitation gives the attacker full read, write, and availability impact over the affected host. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.
HarborGuard Coverage
Detection for CVE-2026-39529 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Patchstack. Coverage extends to custom-built images that bundle the Elementra theme, not just images pulled from public registries.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting it against each environment's compliance policy to determine escalation priority. Routing to the appropriate team inbox within each customer organization is available based on configured ownership rules.
AvailableBecause no fix version has been published for Elementra, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream patch is released. In the interim, compensating-control recommendations are surfaced to help teams reduce exposure while the vendor patch is pending.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning any internet-reachable instance of a site running Elementra is within reach of an attacker without requiring LAN or physical access.
- AuthenticationNot required
No account or credential of any privilege level is needed; the injection can be triggered by an anonymous HTTP request.
- Victim interactionNot required
The attacker does not need a victim to click a link, visit a page, or take any action; exploitation is fully attacker-driven.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no race condition, special memory layout, or environmental precondition beyond reaching the service.
Blast Radius
- Reads arbitrary files and sensitive data stored on the server, including WordPress database credentials and stored user session tokens.
- Writes or modifies files on the server filesystem, enabling persistent backdoor installation or replacement of theme and plugin files.
- Executes arbitrary PHP code through a suitable gadget chain in the loaded codebase, achieving full remote code execution on the host.
- Crashes or degrades the affected WordPress site by destroying configuration or triggering fatal errors, causing a denial of service.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the CVE-2026-39529 advisory is active, with re-evaluation on every ingest cycle so that a patched-image rebuild becomes available the moment ThemeREX Group publishes a fix. Because no upstream patch exists today, customers are encouraged to use HarborGuard's network-policy recommendations to isolate affected workloads from public ingress, apply egress filtering to limit post-exploitation reach, and consider disabling or replacing the Elementra theme in images until a fix is available. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once a fix version is published, with no manual intervention required.
- ThemeREX Group / Elementra≤ 1.0.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H