How is CVE-2026-39560 exploited?

Network reachability (required): The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session token is needed; the injection can be triggered by an anonymous HTTP request. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator of the site. Attack complexity (info): Exploitation is rated High complexity because it depends on the presence of a suitable PHP class chain (a so-called POP chain) in the installed codebase, introducing environmental variability beyond the attacker's direct control.

What is the impact of CVE-2026-39560?

A successful attacker reads confidential data stored by the WordPress installation, including database credentials, API keys, and user records. An attacker modifies persisted site content or injects malicious code into theme files or the database. Depending on available POP chains, an attacker executes arbitrary operating-system commands on the web server hosting the site. The affected service can be crashed or rendered unavailable by triggering a fatal error during the unserialization process.

Back to search

HIGHCVE-2026-39560Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39560: WordPress Hiroshi theme <= 1.5.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39560?

PHP Object Injection is a vulnerability in the WordPress Hiroshi theme (versions 1.5.1 and earlier) where untrusted user-supplied data is passed to PHP's unserialization function without validation. The flaw is reachable over the network without any authentication, though exploitation requires specific environmental conditions to chain into a complete attack. A successful attacker can read sensitive data, modify site content, or crash the affected service depending on what PHP classes are available on the target installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39560 patched?

No fix version has been published for CVE-2026-39560 as of the time of this writing. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a corrected release.

Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the WordPress Hiroshi theme (versions 1.5.1 and earlier) where untrusted user-supplied data is passed to PHP's unserialization function without validation. The flaw is reachable over the network without any authentication, though exploitation requires specific environmental conditions to chain into a complete attack. A successful attacker can read sensitive data, modify site content, or crash the affected service depending on what PHP classes are available on the target installation. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-39560 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the Hiroshi theme. Scans run continuously against images in customer registries and CI/CD pipelines so new image pushes are checked immediately.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector and weights findings against each customer environment's compliance policy to prioritize alerts appropriately. Routed findings land in the inbox of the team or individual designated in each customer org's notification settings.

Available

Patch

No fix version has been published for CVE-2026-39560 as of the time of this writing. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a corrected release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an anonymous HTTP request.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator of the site.
Attack complexityDetail
Exploitation is rated High complexity because it depends on the presence of a suitable PHP class chain (a so-called POP chain) in the installed codebase, introducing environmental variability beyond the attacker's direct control.

Blast Radius

A successful attacker reads confidential data stored by the WordPress installation, including database credentials, API keys, and user records.
An attacker modifies persisted site content or injects malicious code into theme files or the database.
Depending on available POP chains, an attacker executes arbitrary operating-system commands on the web server hosting the site.
The affected service can be crashed or rendered unavailable by triggering a fatal error during the unserialization process.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-39560 is monitored on every ingest cycle. Because no upstream fix exists yet, no patched-image rebuild can be generated at this time. HarborGuard will automatically produce a rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment Select-Themes publishes a corrected release. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the affected WordPress endpoints, web application firewall rules that block serialized PHP payloads in request bodies and query strings, and removal or replacement of the Hiroshi theme with an unaffected alternative where compliance policy permits. Customers can configure HarborGuard policy to flag any image containing Hiroshi 1.5.1 as non-compliant so it does not reach production until the fix is available.

See how HarborGuard automates this

Affected packages

Select-Themes / Hiroshi
≤ 1.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified