CVE-2026-27429
Deferred Deferred - Pending Action

Unauthenticated PHP Object Injection in Nifty

Vulnerability report for CVE-2026-27429, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-07
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack nifty to 1.4.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-27429 is a high-priority unauthenticated PHP Object Injection vulnerability found in the WordPress Nifty Theme versions 1.4.1 and below.

This flaw allows attackers to inject malicious PHP objects without needing to authenticate, potentially leading to severe security issues.

Exploitation can result in code injection, SQL injection, path traversal, and denial of service if a suitable POP (Property Oriented Programming) chain exists.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file system access via path traversal, and service disruption through denial of service attacks.

Because the vulnerability is unauthenticated, attackers can exploit it remotely without any credentials, potentially affecting thousands of websites in mass campaigns.

Immediate action is necessary to update the Nifty theme to version 1.4.2 or later to mitigate these risks.

Mitigation Strategies

Immediate action is required to update the WordPress Nifty Theme to version 1.4.2 or later to mitigate the PHP Object Injection vulnerability.

Until the update is applied, Patchstack has provided a mitigation rule that can be used to block attacks exploiting this vulnerability.

Detection Guidance

The vulnerability affects WordPress Nifty Theme versions 1.4.1 and below, which are vulnerable to unauthenticated PHP Object Injection. Detection involves identifying if your system is running these vulnerable versions.

Since the vulnerability is unauthenticated and can be exploited remotely, monitoring network traffic for exploitation attempts or scanning your WordPress installation for the Nifty theme version is recommended.

  • Check the installed version of the Nifty theme in your WordPress installation by navigating to the theme directory and inspecting the style.css or version files.
  • Use WP-CLI command to list installed themes and their versions: `wp theme list`
  • Monitor web server logs for suspicious requests that may indicate exploitation attempts, especially POST requests with serialized PHP objects.
  • Apply the Patchstack mitigation rule to block attacks until the theme is updated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart