How is CVE-2026-39539 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location. Authentication (not-required): No account or session token is needed; the injection vector is accessible to unauthenticated HTTP requests. Victim interaction (not-required): The attack is fully server-side and does not require any user action such as clicking a link or opening a file. Attack complexity (info): Attack complexity is rated HIGH, meaning exploitation is not condition-free; the attacker likely depends on a usable POP chain being present in the target PHP environment, which varies by installed plugins and themes.

What is the impact of CVE-2026-39539?

An attacker with a working POP chain can read sensitive server-side data, including WordPress database credentials, API keys, and stored user records. A successful exploit can modify persisted data such as database rows, configuration files, or user account details. Depending on the POP chain available, an attacker can achieve remote code execution on the underlying server hosting the WordPress installation. Full compromise of confidentiality, integrity, and availability of the affected WordPress host is within scope of a successful exploitation.

Back to search

HIGHCVE-2026-39539Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39539: WordPress Alloggio - Hotel Booking theme <= 2.1.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-39539?

PHP Object Injection is a class of vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing crafted payloads to manipulate object behavior at runtime. The Alloggio Hotel Booking WordPress theme, versions 2.1.2 and earlier, is affected and the vulnerability is reachable over the network with no authentication required. Successful exploitation, when a suitable PHP property-oriented chain (POP chain) exists in the environment, gives an attacker the ability to read sensitive data, modify server-side state, or execute arbitrary code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39539 patched?

No upstream fix version has been published for CVE-2026-39539 as of the record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the theme vendor publishes a remediated release, with auto-remediation customers receiving a rebuild, regression-test run, and a PR opened against affected workloads immediately after.

Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing crafted payloads to manipulate object behavior at runtime. The Alloggio Hotel Booking WordPress theme, versions 2.1.2 and earlier, is affected and the vulnerability is reachable over the network with no authentication required. Successful exploitation, when a suitable PHP property-oriented chain (POP chain) exists in the environment, gives an attacker the ability to read sensitive data, modify server-side state, or execute arbitrary code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39539 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built images that bundle the Alloggio theme. Any image layer containing the affected theme version is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each customer's per-environment compliance policy to determine urgency and routing. The triage result is surfaced to the inbox or ticketing integration configured within each customer organization, so the right team receives the alert without manual filtering.

Available

Patch

No upstream fix version has been published for CVE-2026-39539 as of the record date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the theme vendor publishes a remediated release, with auto-remediation customers receiving a rebuild, regression-test run, and a PR opened against affected workloads immediately after.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location.
AuthenticationNot required
No account or session token is needed; the injection vector is accessible to unauthenticated HTTP requests.
Victim interactionNot required
The attack is fully server-side and does not require any user action such as clicking a link or opening a file.
Attack complexityDetail
Attack complexity is rated HIGH, meaning exploitation is not condition-free; the attacker likely depends on a usable POP chain being present in the target PHP environment, which varies by installed plugins and themes.

Blast Radius

An attacker with a working POP chain can read sensitive server-side data, including WordPress database credentials, API keys, and stored user records.
A successful exploit can modify persisted data such as database rows, configuration files, or user account details.
Depending on the POP chain available, an attacker can achieve remote code execution on the underlying server hosting the WordPress installation.
Full compromise of confidentiality, integrity, and availability of the affected WordPress host is within scope of a successful exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and matched against every image in enrolled registries and pipelines. Because no upstream fix exists yet, the immediate recommended action is to isolate affected WordPress containers behind strict network policy rules that limit inbound HTTP access to trusted sources only, and to audit installed plugins and themes for POP chain candidates that could amplify exploitability. Egress filtering on the container can limit the impact of any successful code-execution payload that attempts to establish a reverse shell or exfiltrate data. HarborGuard monitors the Patchstack advisory on every ingest cycle; when the Alloggio theme vendor publishes a patch, a rebuilt image will become available, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

See how HarborGuard automates this

Affected packages

Edge-Themes / Alloggio - Hotel Booking
≤ 2.1.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified