How is CVE-2026-39567 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress installation to reach the unserialize() call. Authentication (not-required): No account or session credentials are needed; the injection point is accessible to unauthenticated HTTP requests. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server without any social-engineering step. Attack complexity (info): Exploitation is rated High complexity because it depends on the presence of a suitable POP chain in the application's loaded PHP classes; the attacker must identify and assemble a viable chain of objects to achieve meaningful impact.

What is the impact of CVE-2026-39567?

A successful attacker can read arbitrary files and sensitive data on the server, including WordPress database credentials and stored user records. The attacker can write or modify files on the host, enabling persistent backdoor installation or defacement of site content. Depending on the POP chain available, the attacker may achieve remote code execution, running arbitrary commands under the web server process. Service availability can be disrupted by triggering destructors or file operations that crash or corrupt the WordPress installation.

Back to search

HIGHCVE-2026-39567Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39567: WordPress Santé theme <= 1.5.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39567?

PHP Object Injection is a vulnerability in the Santé WordPress theme (versions 1.5.1 and earlier) where unsanitized, attacker-supplied data is passed to PHP's unserialize() function. The vulnerability is reachable over the network with no authentication required, though exploitation depends on environmental factors such as the presence of a suitable PHP object chain (a "POP chain") in the application. Successful exploitation can give an attacker full read, write, and availability impact on the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39567 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by Select-Themes. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Unauthenticated PHP Object Injection in Santé <= 1.5.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the Santé WordPress theme (versions 1.5.1 and earlier) where unsanitized, attacker-supplied data is passed to PHP's unserialize() function. The vulnerability is reachable over the network with no authentication required, though exploitation depends on environmental factors such as the presence of a suitable PHP object chain (a "POP chain") in the application. Successful exploitation can give an attacker full read, write, and availability impact on the affected system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-39567 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images, including custom-built images that bundle the Sante theme. Any image found to contain an affected version of the theme is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each customer's per-environment compliance policy to determine urgency and routing. The finding is dispatched to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by Select-Themes. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the WordPress installation to reach the unserialize() call.
AuthenticationNot required
No account or session credentials are needed; the injection point is accessible to unauthenticated HTTP requests.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server without any social-engineering step.
Attack complexityDetail
Exploitation is rated High complexity because it depends on the presence of a suitable POP chain in the application's loaded PHP classes; the attacker must identify and assemble a viable chain of objects to achieve meaningful impact.

Blast Radius

A successful attacker can read arbitrary files and sensitive data on the server, including WordPress database credentials and stored user records.
The attacker can write or modify files on the host, enabling persistent backdoor installation or defacement of site content.
Depending on the POP chain available, the attacker may achieve remote code execution, running arbitrary commands under the web server process.
Service availability can be disrupted by triggering destructors or file operations that crash or corrupt the WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-39567, HarborGuard continuously monitors the Patchstack advisory and will surface a patched-image rebuild the moment Select-Themes publishes a corrected release of the Sante theme. In the interim, compensating controls are recommended: apply a network policy that restricts inbound HTTP access to the WordPress installation to known, trusted sources where operationally feasible; use a web application firewall rule to block or alert on requests containing serialized PHP payloads targeting the affected parameter; and consider disabling or replacing the Sante theme in affected images if a substitute is available. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR workflow will trigger automatically against affected workloads as soon as an upstream fix version is confirmed.

See how HarborGuard automates this

Affected packages

Select-Themes / Santé
≤ 1.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified