How is CVE-2026-39551 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or session credential is needed; the deserialization sink is reachable by unauthenticated requests. Victim interaction (not-required): No user action such as clicking a link or opening a file is required for exploitation. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not condition-free: a usable PHP gadget chain must exist in the runtime environment, introducing an environmental dependency the attacker must satisfy.

What is the impact of CVE-2026-39551?

A successful attacker can read arbitrary files and database contents, including stored credentials, session tokens, and customer records. An attacker can write or modify persisted data, including WordPress posts, options, and user account records. Depending on available gadget chains, an attacker may execute arbitrary PHP code on the server hosting the WordPress installation. The affected service can be crashed or rendered unavailable by triggering destructors that corrupt application state.

Back to search

HIGHCVE-2026-39551Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-39551: WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39551?

PHP object injection via deserialization of untrusted data in the Elated-Themes Töbel WordPress theme (versions 1.8.1 and earlier). The vulnerability is reachable over the network with no authentication required, though exploitation depends on environmental conditions such as the presence of a usable gadget chain in the PHP environment. Successful exploitation gives an attacker full read, write, and availability impact on the affected site, enabling data theft, content tampering, and service disruption. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-39551 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Elated-Themes ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected theme version.

Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection. This issue affects Töbel: from n/a through 1.8.1.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP object injection via deserialization of untrusted data in the Elated-Themes Töbel WordPress theme (versions 1.8.1 and earlier). The vulnerability is reachable over the network with no authentication required, though exploitation depends on environmental conditions such as the presence of a usable gadget chain in the PHP environment. Successful exploitation gives an attacker full read, write, and availability impact on the affected site, enabling data theft, content tampering, and service disruption. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Patchstack advisory feed within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Töbel theme. Any image containing an affected version of the theme is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (High) and weighting it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Elated-Themes ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing the affected theme version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or session credential is needed; the deserialization sink is reachable by unauthenticated requests.
Victim interactionNot required
No user action such as clicking a link or opening a file is required for exploitation.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not condition-free: a usable PHP gadget chain must exist in the runtime environment, introducing an environmental dependency the attacker must satisfy.

Blast Radius

A successful attacker can read arbitrary files and database contents, including stored credentials, session tokens, and customer records.
An attacker can write or modify persisted data, including WordPress posts, options, and user account records.
Depending on available gadget chains, an attacker may execute arbitrary PHP code on the server hosting the WordPress installation.
The affected service can be crashed or rendered unavailable by triggering destructors that corrupt application state.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-39551 is active across all scanning environments, matching images that bundle the Töbel theme at version 1.8.1 or earlier. Because Elated-Themes has not published a fix, no patched-image rebuild is available yet. HarborGuard re-evaluates the advisory on every ingest cycle and will surface a rebuild automatically once an upstream patch is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention. While no patch exists, compensating controls are worth applying: network-policy isolation to restrict public access to the WordPress installation, egress filtering to limit outbound connections from the container, and disabling or replacing the Töbel theme if an alternative is viable. Where compliance policy permits, HarborGuard can be configured to block promotion of images containing the affected theme version until a patched release is available.

See how HarborGuard automates this

Affected packages

Elated-Themes / Töbel
≤ 1.8.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified