How is CVE-2026-39545 exploited?

Network reachability (required): The vulnerable deserialization endpoint is reachable over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or session credential is needed; the injection point is accessible to anonymous requests. Victim interaction (not-required): The attack is entirely server-side and does not require any action from a logged-in user or administrator. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must identify and chain a suitable PHP class (a gadget chain) already present in the application's dependency tree; this is not a point-and-click exploit.

What is the impact of CVE-2026-39545?

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. Writes or overwrites files on the server, enabling the attacker to plant a webshell or modify theme and plugin files. Executes operating-system commands if a suitable remote-code-execution gadget chain is available in the installed PHP dependencies. Crashes or destabilizes the PHP runtime through destructors in gadget chains, causing service disruption for site visitors.

Back to search

HIGHCVE-2026-39545Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39545: WordPress Zermatt theme <= 1.6.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39545?

PHP Object Injection is a class of vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and trigger dangerous code paths already present in the application. The Zermatt WordPress theme (versions 1.6.1 and below) contains such a flaw that is reachable over the network with no authentication required, though exploitation involves elevated attack complexity due to environmental or chaining requirements. Successful exploitation grants the attacker full read, write, and availability impact on the affected host, depending on which PHP classes are available in the environment. HarborGuard is tracking this advisory because no upstream fix has been published yet.

Q: Is CVE-2026-39545 patched?

Because no fix version has been published by Select-Themes, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the finding with compensating-control recommendations so customers can act without waiting for a vendor patch.

Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and trigger dangerous code paths already present in the application. The Zermatt WordPress theme (versions 1.6.1 and below) contains such a flaw that is reachable over the network with no authentication required, though exploitation involves elevated attack complexity due to environmental or chaining requirements. Successful exploitation grants the attacker full read, write, and availability impact on the affected host, depending on which PHP classes are available in the environment. HarborGuard is tracking this advisory because no upstream fix has been published yet.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images containing the Zermatt theme package, including custom-built WordPress images. Any registry or CI pipeline image found carrying Zermatt 1.6.1 or earlier is flagged immediately.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it further against each customer organization's compliance policy, for example stricter SLAs for internet-exposed workloads. The resulting alert is routed to the appropriate team inbox within the customer org based on configured ownership rules.

Available

Patch

Because no fix version has been published by Select-Themes, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the finding with compensating-control recommendations so customers can act without waiting for a vendor patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization endpoint is reachable over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or session credential is needed; the injection point is accessible to anonymous requests.
Victim interactionNot required
The attack is entirely server-side and does not require any action from a logged-in user or administrator.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must identify and chain a suitable PHP class (a gadget chain) already present in the application's dependency tree; this is not a point-and-click exploit.

Blast Radius

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
Writes or overwrites files on the server, enabling the attacker to plant a webshell or modify theme and plugin files.
Executes operating-system commands if a suitable remote-code-execution gadget chain is available in the installed PHP dependencies.
Crashes or destabilizes the PHP runtime through destructors in gadget chains, causing service disruption for site visitors.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of the Zermatt theme exists, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Select-Themes publishes a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads without manual intervention. In the meantime, HarborGuard flags all images carrying Zermatt 1.6.1 or earlier and surfaces compensating-control guidance: isolating the WordPress container behind a web application firewall rule that blocks serialized PHP payloads in request bodies and cookies, restricting outbound network egress from the container to limit post-exploitation pivot paths, and where operationally possible, disabling the theme in favor of an unaffected alternative until a vendor patch is available.

See how HarborGuard automates this

Affected packages

Select-Themes / Zermatt
≤ 1.6.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified