How is CVE-2026-39577 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from a remote host without any prior foothold on the server. Authentication (not-required): No credentials are needed; the injection point is reachable by any unauthenticated HTTP request, making this exploitable by arbitrary external actors. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user or administrator on the target site. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and repeatable without depending on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-39577?

An attacker can read a limited subset of data accessible to the web application, such as configuration values or session-adjacent information exposed within the changed security scope. An attacker can modify a limited subset of application data, such as theme settings or serialized option values stored by the affected plugin context. The vulnerability carries no direct availability impact, so service continuity is not disrupted by exploitation alone. Because the scope is changed (S:C in the CVSS vector), impact may extend beyond the theme itself to other components or data within the WordPress installation that share the same runtime context.

Back to search

HIGHCVE-2026-39577Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39577: WordPress Playroom theme <= 1.4.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-39577?

PHP Object Injection is a vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and potentially trigger dangerous code paths. This vulnerability in the WordPress Playroom theme (versions 1.4.1 and below) is reachable over the network with no authentication required, meaning any external party can send a crafted request. Successful exploitation enables limited reads of sensitive data and limited modification of application data within a changed security scope. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39577 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation on workloads running the affected theme.

Unauthenticated PHP Object Injection in Playroom <= 1.4.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability where attacker-controlled input is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and potentially trigger dangerous code paths. This vulnerability in the WordPress Playroom theme (versions 1.4.1 and below) is reachable over the network with no authentication required, meaning any external party can send a crafted request. Successful exploitation enables limited reads of sensitive data and limited modification of application data within a changed security scope. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-39577 is available across every HarborGuard environment - the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built images containing the Playroom theme. Any image in a connected registry or CI pipeline carrying the affected theme version will surface in scan results automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and is capable of weighting that score against each customer environment's compliance policy to prioritize alert routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation on workloads running the affected theme.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can send a crafted request from a remote host without any prior foothold on the server.
AuthenticationNot required
No credentials are needed; the injection point is reachable by any unauthenticated HTTP request, making this exploitable by arbitrary external actors.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user or administrator on the target site.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and repeatable without depending on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

An attacker can read a limited subset of data accessible to the web application, such as configuration values or session-adjacent information exposed within the changed security scope.
An attacker can modify a limited subset of application data, such as theme settings or serialized option values stored by the affected plugin context.
The vulnerability carries no direct availability impact, so service continuity is not disrupted by exploitation alone.
Because the scope is changed (S:C in the CVSS vector), impact may extend beyond the theme itself to other components or data within the WordPress installation that share the same runtime context.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring for CVE-2026-39577 is active across all connected environments, with re-evaluation on every ingest cycle so that a patched-image rebuild becomes available the moment Elated-Themes or Patchstack publishes a fix. While no patch exists, customers can use HarborGuard's network policy controls to isolate workloads running Playroom 1.4.1 and below, restricting inbound HTTP access to trusted sources only. Egress filtering can also be applied to limit the blast radius of any successful deserialization chain that attempts outbound callbacks. For customers who opt into auto-remediation, a rebuilt image and a PR opened against affected workloads will be triggered automatically as soon as a fix version is available upstream, with no manual intervention required.

See how HarborGuard automates this

Affected packages

Elated-Themes / Playroom
≤ 1.4.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References

patchstack.com

Metrics

Get notified