How is CVE-2026-42380 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host. Authentication (not-required): No account or session credential of any privilege level is needed to trigger the injection. Victim interaction (not-required): The attacker does not need to trick or wait for any user to take an action; the exploit is entirely attacker-driven. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special environmental setup required.

What is the impact of CVE-2026-42380?

A successful attacker can read any data the web process can access, including stored credentials, session tokens, and site configuration secrets. The attacker can write or modify persisted data, including database records, theme files, and uploaded content. The attacker can crash or hang the affected service, making the site unavailable to legitimate users. Because all three impact dimensions (confidentiality, integrity, availability) are rated High, a single successful exploit can fully compromise the affected WordPress installation.

Back to search

CRITICALCVE-2026-42380Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-42380: WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-42380?

PHP Object Injection is a vulnerability in the AI Lab WordPress theme (versions below 5.4.2) by jwsthemes. The flaw is reachable over the network with no authentication required, and the CVSS vector indicates no user interaction is needed to trigger it. Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected system. A patched-image rebuild at version 5.4.2 is available on HarborGuard for affected environments.

Q: How is CVE-2026-42380 fixed?

A patched-image rebuild at AI Lab version 5.4.2 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.

Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: 5.4.2
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the AI Lab WordPress theme (versions below 5.4.2) by jwsthemes. The flaw is reachable over the network with no authentication required, and the CVSS vector indicates no user interaction is needed to trigger it. Successful exploitation gives an attacker full read, write, and denial-of-service capability against the affected system. A patched-image rebuild at version 5.4.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-42380 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built images that bundle the AI Lab theme.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) applied to each matched image, weighted against per-environment compliance policies, and routed to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at AI Lab version 5.4.2 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run regression tests, and open a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without any prior foothold on the host.
AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the injection.
Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; the exploit is entirely attacker-driven.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental setup required.

Blast Radius

A successful attacker can read any data the web process can access, including stored credentials, session tokens, and site configuration secrets.
The attacker can write or modify persisted data, including database records, theme files, and uploaded content.
The attacker can crash or hang the affected service, making the site unavailable to legitimate users.
Because all three impact dimensions (confidentiality, integrity, availability) are rated High, a single successful exploit can fully compromise the affected WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against scanned images within minutes of ingestion, so any image bundling AI Lab below 5.4.2 is flagged immediately. A rebuilt image at the patched version 5.4.2 becomes available as soon as the CVE is confirmed in a customer image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; for high and critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the flagged finding is routed to the appropriate team inbox with remediation guidance attached.

See how HarborGuard automates this

Fix available

5.4.2

Affected packages

jwsthemes / AI Lab
< 5.4.2 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available