CVE-2026-27417
Received Received - Intake
Deserialization Object Injection in Sweet Date ≀ 4.0.1 Allows Code Execution

Publication date: 2026-03-05

Last updated on: 2026-03-06

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27417
EUVD
EUVD-2026-9646
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
seventhqueen sweet_date to 4.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

CVE-2026-27417 is a high-priority PHP Object Injection vulnerability found in the WordPress Sweet Date Theme versions prior to 4.0.1.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects into the application by exploiting deserialization of untrusted data.

If successfully exploited, it can lead to severe consequences such as code injection, SQL injection, path traversal, denial of service, and other attacks, depending on the availability of a suitable Property Oriented Programming (POP) chain.

The vulnerability is classified under the OWASP Top 10 category A3: Injection and has a critical CVSS score of 9.8.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and denial of service attacks.

Because it requires no prior privileges to exploit, any attacker can potentially compromise the affected WordPress site running the vulnerable Sweet Date Theme.

Such impacts can lead to loss of data integrity, confidentiality, and availability of your website and its data.

Detection Guidance

[{'type': 'paragraph', 'content': 'CVE-2026-27417 is a PHP Object Injection vulnerability in the WordPress Sweet Date Theme versions prior to 4.0.1. Detection typically involves monitoring for exploitation attempts targeting this theme, especially unauthenticated requests attempting to inject PHP objects.'}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the available resources, common detection methods include inspecting web server logs for suspicious POST or GET requests containing serialized PHP objects or unusual payloads targeting the Sweet Date theme endpoints.'}, {'type': 'paragraph', 'content': "Additionally, applying Patchstack's immediate mitigation rule can help block attacks targeting this vulnerability, which may also provide detection capabilities."}] [1]

Mitigation Strategies

The primary immediate step to mitigate CVE-2026-27417 is to update the Sweet Date WordPress theme to version 4.0.1 or later, where the vulnerability has been patched.

Until the update can be applied, it is strongly advised to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability, ensuring rapid protection against exploitation attempts.

Since the vulnerability can be exploited without prior privileges, prompt action is critical to prevent potential code injection, SQL injection, path traversal, denial of service, and other severe impacts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart