How is CVE-2026-39555 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; no local or physical access is required. Authentication (not-required): No account or session credentials are needed to send the malicious payload. Victim interaction (not-required): The attacker does not need any user or administrator to take an action for exploitation to proceed. Attack complexity (info): Exploitation is not straightforward; the attacker must account for race conditions, specific memory or object-graph layout, or other environmental factors that make reliable exploitation inconsistent.

What is the impact of CVE-2026-39555?

A successful attacker reads arbitrary files and data stored on the WordPress host, including database credentials, session tokens, and user records. The attacker writes or modifies persisted data and files on the server, enabling content tampering, backdoor installation, or privilege escalation within WordPress. The attacker can crash or destabilize the affected service, causing a denial of service for visitors and administrators. Because PHP object injection can chain existing class methods (POP chains), the attacker may achieve remote code execution depending on the classes available in the application.

Back to search

HIGHCVE-2026-39555Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-39555: WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39555?

PHP object injection via unsafe deserialization affects the Askka WordPress theme by Elated-Themes, versions 1.3.1 and earlier. The vulnerability is reachable over the network without any authentication, though exploitation requires meeting certain environmental or timing conditions derived from the high attack complexity rating. A successful attacker gains full read, write, and crash capability over the affected environment. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a patch.

Q: Is CVE-2026-39555 patched?

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation and egress-filtering recommendations surfaced on the finding detail page.

Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP object injection via unsafe deserialization affects the Askka WordPress theme by Elated-Themes, versions 1.3.1 and earlier. The vulnerability is reachable over the network without any authentication, though exploitation requires meeting certain environmental or timing conditions derived from the high attack complexity rating. A successful attacker gains full read, write, and crash capability over the affected environment. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as upstream ships a patch.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built WordPress images that bundle the Askka theme alongside vendor-supplied ones.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it further against each customer organization's compliance policy, then routing the alert to the appropriate team inbox within that org.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation and egress-filtering recommendations surfaced on the finding detail page.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is required.
AuthenticationNot required
No account or session credentials are needed to send the malicious payload.
Victim interactionNot required
The attacker does not need any user or administrator to take an action for exploitation to proceed.
Attack complexityDetail
Exploitation is not straightforward; the attacker must account for race conditions, specific memory or object-graph layout, or other environmental factors that make reliable exploitation inconsistent.

Blast Radius

A successful attacker reads arbitrary files and data stored on the WordPress host, including database credentials, session tokens, and user records.
The attacker writes or modifies persisted data and files on the server, enabling content tampering, backdoor installation, or privilege escalation within WordPress.
The attacker can crash or destabilize the affected service, causing a denial of service for visitors and administrators.
Because PHP object injection can chain existing class methods (POP chains), the attacker may achieve remote code execution depending on the classes available in the application.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-39555 at this time, HarborGuard continuously re-checks the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch is available, HarborGuard surfaces compensating-control guidance on the finding detail page: applying Kubernetes network policies to restrict ingress to the affected WordPress service, enabling egress filtering to limit outbound connections from the container, and disabling or removing the Askka theme entirely where it is not actively required. Customers whose compliance policy flags unpatched HIGH-severity findings for escalation will have this CVE routed to the appropriate inbox automatically.

See how HarborGuard automates this

Affected packages

Elated-Themes / Askka
≤ 1.3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified