How is CVE-2026-39573 exploited?

Network reachability (required): The attacker must reach the affected service over the network; no local or physical access is assumed by the CVSS vector (AV:N). Authentication (not-required): No account or session credential is needed; the vulnerable endpoint accepts unauthenticated requests (PR:N). Victim interaction (not-required): The attacker does not need to socially engineer or involve any user to trigger the vulnerability (UI:N). Attack complexity (info): Exploitation is rated high complexity (AC:H), meaning the attacker must account for environmental or timing factors such as specific server-side class availability (gadget chains) to turn object injection into meaningful impact.

What is the impact of CVE-2026-39573?

A successful attacker can read any data the PHP process has access to, including database credentials, session tokens, and configuration secrets stored on the server. A successful attacker can write or modify files and database records, enabling content tampering, backdoor installation, or privilege escalation within the WordPress installation. A successful attacker can crash or hang the web server process, taking the affected site offline.

Back to search

HIGHCVE-2026-39573Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39573: WordPress Mildhill theme <= 1.5 - PHP Object Injection vulnerability

Q: What is CVE-2026-39573?

PHP Object Injection is a vulnerability where an attacker sends a crafted, serialized data payload to the application, tricking it into instantiating arbitrary PHP objects and executing unintended code or logic. The Mildhill WordPress theme (versions 1.5 and earlier) is affected and the vulnerability is reachable over the network with no authentication required, though exploitation requires navigating environmental conditions that raise attack complexity. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected environment. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-39573 patched?

Because no fix version has been published for CVE-2026-39573, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without requiring manual steps.

Unauthenticated PHP Object Injection in Mildhill <= 1.5 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability where an attacker sends a crafted, serialized data payload to the application, tricking it into instantiating arbitrary PHP objects and executing unintended code or logic. The Mildhill WordPress theme (versions 1.5 and earlier) is affected and the vulnerability is reachable over the network with no authentication required, though exploitation requires navigating environmental conditions that raise attack complexity. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected environment. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-39573 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the Mildhill theme. No manual intervention is needed to trigger the scan.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage output is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-39573, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without requiring manual steps.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected service over the network; no local or physical access is assumed by the CVSS vector (AV:N).
AuthenticationNot required
No account or session credential is needed; the vulnerable endpoint accepts unauthenticated requests (PR:N).
Victim interactionNot required
The attacker does not need to socially engineer or involve any user to trigger the vulnerability (UI:N).
Attack complexityDetail
Exploitation is rated high complexity (AC:H), meaning the attacker must account for environmental or timing factors such as specific server-side class availability (gadget chains) to turn object injection into meaningful impact.

Blast Radius

A successful attacker can read any data the PHP process has access to, including database credentials, session tokens, and configuration secrets stored on the server.
A successful attacker can write or modify files and database records, enabling content tampering, backdoor installation, or privilege escalation within the WordPress installation.
A successful attacker can crash or hang the web server process, taking the affected site offline.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-39573 as of the publication date, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation that restricts inbound traffic to the WordPress container, egress filtering to limit outbound connections an injected object could make, and flagging any image bundling Mildhill 1.5 or earlier for expedited review. For customers with auto-remediation enabled, a rebuild plus regression-test run and PR against affected workloads will be triggered automatically once a fix is available upstream. Given the CVSS 8.1 HIGH rating and the zero-authentication requirement, this advisory is recommended for immediate review by teams running the Mildhill theme.

See how HarborGuard automates this

Affected packages

Select-Themes / Mildhill
≤ 1.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified