HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-49107Published Modified CNA Patchstack

CVE-2026-49107: WordPress Thrive Apprentice plugin < 10.8.10.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Thrive Apprentice < 10.8.10.2 versions.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
10.8.10.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled serialized data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into destructive gadget sequences. The Thrive Apprentice WordPress plugin before version 10.8.10.2 exposes this vulnerability over the network with no authentication required, meaning any remote visitor can send a malicious payload without holding any account or credential on the site. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the affected WordPress installation, up to and including remote code execution via available PHP gadget chains. A patched-image rebuild at version 10.8.10.2 is available on HarborGuard for environments running an affected version of Thrive Apprentice.

HarborGuard Coverage

Detection

Detection of CVE-2026-49107 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, the NVD, and package-level metadata. This matching covers custom-built WordPress container images alongside images pulled from public registries, so internally assembled images containing Thrive Apprentice are not excluded from coverage.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Routed findings are directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild pinned to Thrive Apprentice 10.8.10.2 becomes available in HarborGuard as soon as the fix version is confirmed against the upstream package source. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes a regression test suite against the updated image, and opens a pull request against affected workloads; for Critical-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to send HTTP requests to the WordPress site over the network; no local or adjacent-network position is needed.

  • AuthenticationNot required

    No account, session token, or credential of any kind is required; the vulnerable endpoint is reachable by any unauthenticated visitor.

  • Victim interactionNot required

    The attacker sends the malicious serialized payload directly to the server; no user action or click is needed to trigger deserialization.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race condition, memory-layout dependency, or environmental prerequisite must be satisfied.

Blast Radius

  • A successful attacker can read arbitrary files on the server, including wp-config.php, exposing database credentials, secret keys, and any secrets stored on the filesystem.
  • The attacker can write or overwrite files on the server, enabling webshell installation or modification of WordPress core and plugin files.
  • Via an available PHP gadget chain the attacker can achieve remote code execution, running arbitrary operating-system commands under the web server process account.
  • The attacker can crash or exhaust server resources, taking the WordPress site offline and denying service to legitimate users.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and rebuild capabilities for CVE-2026-49107 are active across all customer environments that scan images containing Thrive Apprentice. Because this CVE carries a Critical CVSS score of 9.8 and requires no authentication to exploit, it is prioritized at the top of the severity queue. Where a customer's compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at the patched version 10.8.10.2, runs regression tests against the updated image, and opens a pull request against any workload referencing an affected tag; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually will find the CVE surfaced in their findings dashboard with direct links to the upstream Patchstack advisory and the fix version. For any environment where an immediate image rebuild is not feasible, compensating controls to consider include placing a web application firewall rule to block serialized PHP payloads at the request boundary and restricting public ingress to the affected endpoint via network policy until the updated image is deployed.

See how HarborGuard automates this

Fix available

10.8.10.2
Affected packages
  • Thrive Themes / Thrive Apprentice
    < 10.8.10.2 (from n/a)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References