How is CVE-2026-39554 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from the internet or an internal network segment. Authentication (not-required): No account or session token is needed; the injection point accepts unauthenticated requests. Victim interaction (not-required): The attacker does not need to trick or wait on any user action; the exploit is fully server-side. Attack complexity (info): Attack complexity is rated High, meaning the attacker must satisfy specific environmental conditions such as the presence of a usable POP chain in the PHP object graph before the injection yields code execution.

What is the impact of CVE-2026-39554?

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. An attacker can write or modify files on the server, enabling webshell installation or theme/plugin tampering that persists across requests. The attacker can trigger application or server crashes, making the WordPress site unavailable to legitimate visitors. Combined read and write access over the database credentials exposes all stored user data, session tokens, and site content to exfiltration or modification.

Back to search

HIGHCVE-2026-39554Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39554: WordPress Fidalgo theme <= 1.2.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-39554?

PHP Object Injection is an unauthenticated remote-code vulnerability affecting the Fidalgo WordPress theme versions 1.2.2 and earlier. An attacker reaches it over the network with no credentials by sending a crafted serialized PHP payload, though exploitation requires meeting certain environmental conditions due to the high attack complexity rating. Successful exploitation gives an attacker full read, write, and availability impact on the affected host. No fix version has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as upstream releases one.

Q: Is CVE-2026-39554 patched?

Because no upstream fix version exists for CVE-2026-39554, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release is published. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads, to reduce exposure while awaiting a vendor patch.

Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote-code vulnerability affecting the Fidalgo WordPress theme versions 1.2.2 and earlier. An attacker reaches it over the network with no credentials by sending a crafted serialized PHP payload, though exploitation requires meeting certain environmental conditions due to the high attack complexity rating. Successful exploitation gives an attacker full read, write, and availability impact on the affected host. No fix version has been published yet; HarborGuard tracks the advisory and will surface patch availability as soon as upstream releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-39554 is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the Fidalgo theme, not just official distribution images.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and can weight it further against each customer organization's compliance policy before routing it to the appropriate team inbox. Per-environment policy configuration lets security and platform teams set escalation thresholds so high-severity unauthenticated vulnerabilities surface immediately to the right responders.

Available

Patch

Because no upstream fix version exists for CVE-2026-39554, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fixed release is published. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for affected workloads, to reduce exposure while awaiting a vendor patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS from the internet or an internal network segment.
AuthenticationNot required
No account or session token is needed; the injection point accepts unauthenticated requests.
Victim interactionNot required
The attacker does not need to trick or wait on any user action; the exploit is fully server-side.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must satisfy specific environmental conditions such as the presence of a usable POP chain in the PHP object graph before the injection yields code execution.

Blast Radius

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
An attacker can write or modify files on the server, enabling webshell installation or theme/plugin tampering that persists across requests.
The attacker can trigger application or server crashes, making the WordPress site unavailable to legitimate visitors.
Combined read and write access over the database credentials exposes all stored user data, session tokens, and site content to exfiltration or modification.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-39554 as of the publication date, the platform monitors the Patchstack advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment Elated-Themes ships a fixed version of Fidalgo. For environments where the Fidalgo theme is present in scanned images, HarborGuard surfaces the finding immediately at HIGH severity. While awaiting a vendor fix, customers can use HarborGuard's policy engine to flag affected images as non-compliant for deployment gating, preventing vulnerable builds from reaching production. Network-policy isolation (restricting inbound HTTP access to known trusted sources) and web-application firewall rules that block deserialization payloads are suggested compensating controls until a patched build becomes available. For customers who opt into auto-remediation, a rebuild and regression run will trigger automatically once an upstream fix is published, with a PR opened against affected workloads.

See how HarborGuard automates this

Affected packages

Elated-Themes / Fidalgo
≤ 1.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified