How is CVE-2026-39576 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session credential is needed; the injection can be triggered by an unauthenticated HTTP request. Victim interaction (not-required): No user action is required; the attacker sends a crafted request directly to the server without any social engineering step. Attack complexity (info): Attack complexity is rated High, meaning the attacker must account for environmental factors such as the specific PHP classes loaded in the target application that can be chained into a usable gadget chain.

What is the impact of CVE-2026-39576?

A successful attacker can read arbitrary files on the server, including WordPress configuration files containing database credentials and secret keys. An attacker can write or modify files on the server, enabling persistent backdoor placement or defacement of site content. An attacker can disrupt or crash the affected service, causing a denial of service for the WordPress installation. The precise impact depends on which PHP gadget chains are available in the target environment, but CVSS rates Confidentiality, Integrity, and Availability as all High.

Back to search

HIGHCVE-2026-39576Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39576: WordPress SingleMalt theme <= 1.5 - PHP Object Injection vulnerability

Q: What is CVE-2026-39576?

PHP Object Injection is a deserialization vulnerability affecting the WordPress SingleMalt theme at version 1.5 and earlier. The flaw is reachable over the network with no authentication required, though exploitation involves conditions that require some attacker effort. Successful exploitation gives an attacker full read, write, and availability control over the host, depending on what PHP classes are available in the target environment. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-39576 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Elated-Themes or Patchstack publishes a remediated version. In the meantime, customers can apply compensating controls through HarborGuard's policy engine without waiting for an upstream patch.

Unauthenticated PHP Object Injection in SingleMalt <= 1.5 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a deserialization vulnerability affecting the WordPress SingleMalt theme at version 1.5 and earlier. The flaw is reachable over the network with no authentication required, though exploitation involves conditions that require some attacker effort. Successful exploitation gives an attacker full read, write, and availability control over the host, depending on what PHP classes are available in the target environment. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images containing the SingleMalt theme, including custom-built WordPress images that bundle the theme. Coverage extends to all registry types connected to a customer pipeline.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine priority and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Elated-Themes or Patchstack publishes a remediated version. In the meantime, customers can apply compensating controls through HarborGuard's policy engine without waiting for an upstream patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session credential is needed; the injection can be triggered by an unauthenticated HTTP request.
Victim interactionNot required
No user action is required; the attacker sends a crafted request directly to the server without any social engineering step.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must account for environmental factors such as the specific PHP classes loaded in the target application that can be chained into a usable gadget chain.

Blast Radius

A successful attacker can read arbitrary files on the server, including WordPress configuration files containing database credentials and secret keys.
An attacker can write or modify files on the server, enabling persistent backdoor placement or defacement of site content.
An attacker can disrupt or crash the affected service, causing a denial of service for the WordPress installation.
The precise impact depends on which PHP gadget chains are available in the target environment, but CVSS rates Confidentiality, Integrity, and Availability as all High.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published. HarborGuard re-evaluates the Patchstack and NVD advisory feeds on every ingest cycle and will trigger a patched-image rebuild automatically once Elated-Themes releases a remediated version of SingleMalt. While no patch is available, customers can use HarborGuard's network policy controls to restrict external access to affected WordPress deployments, apply egress filtering to limit post-exploitation reach, and flag images containing SingleMalt 1.5 or earlier as policy violations requiring manual sign-off before deployment. For customers with auto-remediation enabled, a rebuilt image, regression test run, and PR against affected workloads will be opened without manual intervention the moment a fix version is published upstream.

See how HarborGuard automates this

Affected packages

Elated-Themes / SingleMalt
≤ 1.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified