How is CVE-2026-39578 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): The CVSS vector specifies PR:H, meaning a high-privilege account (such as a WordPress administrator) is required to reach the vulnerable code path. Victim interaction (not-required): No action from a logged-in user or site visitor is needed; the attacker can trigger the vulnerability directly once authenticated. Attack complexity (info): AC:L indicates the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

What is the impact of CVE-2026-39578?

An attacker can read limited application data, such as theme configuration values or partial content from the WordPress environment (C:L). An attacker can modify limited application data, such as altering theme settings or injecting crafted objects that manipulate serialized data flows (I:L). Availability of the service is not directly impacted by this vulnerability (A:N). Scope is changed (S:C), meaning impact can extend beyond the vulnerable component itself to other components running within the same web application context.

Back to search

HIGHCVE-2026-39578Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39578: WordPress Valiance theme <= 1.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-39578?

PHP Object Injection is a vulnerability in the Valiance WordPress theme (versions 1.2 and below) where attacker-controlled data is passed to PHP's unserialize() function without validation, allowing crafted input to instantiate arbitrary PHP objects. The CVSS vector indicates the attack is reachable over the network and, despite the description noting 'Unauthenticated', the vector specifies a high-privilege account is required; no victim interaction is needed. Successful exploitation can result in limited unauthorized data disclosure and modification of content within the affected environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-39578 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a pull request opened against affected workloads without any manual intervention required.

Unauthenticated PHP Object Injection in Valiance <= 1.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the Valiance WordPress theme (versions 1.2 and below) where attacker-controlled data is passed to PHP's unserialize() function without validation, allowing crafted input to instantiate arbitrary PHP objects. The CVSS vector indicates the attack is reachable over the network and, despite the description noting 'Unauthenticated', the vector specifies a high-privilege account is required; no victim interaction is needed. Successful exploitation can result in limited unauthorized data disclosure and modification of content within the affected environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Valiance theme. Any image carrying Valiance 1.2 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and applies each customer organization's compliance policy weighting to prioritize routing. The resulting alert is dispatched to the team or inbox configured for that environment, so the right people see it without manual filtering.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a pull request opened against affected workloads without any manual intervention required.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
The CVSS vector specifies PR:H, meaning a high-privilege account (such as a WordPress administrator) is required to reach the vulnerable code path.
Victim interactionNot required
No action from a logged-in user or site visitor is needed; the attacker can trigger the vulnerability directly once authenticated.
Attack complexityDetail
AC:L indicates the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental prerequisites.

Blast Radius

An attacker can read limited application data, such as theme configuration values or partial content from the WordPress environment (C:L).
An attacker can modify limited application data, such as altering theme settings or injecting crafted objects that manipulate serialized data flows (I:L).
Availability of the service is not directly impacted by this vulnerability (A:N).
Scope is changed (S:C), meaning impact can extend beyond the vulnerable component itself to other components running within the same web application context.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against every image in connected registries and CI pipelines, including custom WordPress images bundling the Valiance theme. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. In the meantime, customers can apply compensating controls through HarborGuard-integrated network policies: isolating the WordPress container from unnecessary ingress paths, restricting administrative access to the theme settings endpoint via egress or ingress filtering, and disabling theme features that invoke unserialize() where a feature-flag or plugin-level toggle exists. When an upstream fix is published, customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a pull request opened against affected workloads automatically.

See how HarborGuard automates this

Affected packages

Elated-Themes / Valiance
≤ 1.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

References

patchstack.com

Metrics

Get notified