CVE-2026-39442
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in PressMart <= 1.2.26 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39442
EUVD
EUVD-2026-37684
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pressmart pressmart 1.2.26
patchstack pressmart to 1.2.27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress PressMart Theme, versions 1.2.26 and below, is vulnerable to a high-priority PHP Object Injection vulnerability (CVE-2026-39442). This flaw allows attackers to inject malicious PHP objects without authentication.

If a suitable POP (Property Oriented Programming) chain exists, attackers could exploit this vulnerability to execute code injection, SQL injection, path traversal, denial of service, and other malicious activities.

This vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS severity score of 8.1, indicating it is highly dangerous.

Impact Analysis

Exploitation of this vulnerability can lead to severe impacts including unauthorized code execution, database compromise through SQL injection, unauthorized file access via path traversal, and denial of service attacks.

Such impacts can disrupt website functionality, lead to data breaches, and potentially allow attackers to take control over affected systems.

Because the vulnerability is unauthenticated, attackers do not need valid credentials to exploit it, increasing the risk of mass exploitation across thousands of websites using the vulnerable theme.

Detection Guidance

The vulnerability affects WordPress PressMart Theme versions 1.2.26 and below and involves PHP Object Injection. Detection typically involves checking the version of the PressMart theme installed on your system.

You can detect the vulnerable version by inspecting the theme version in your WordPress installation. For example, you can use the following command to check the version in the theme's style.css file:

  • grep 'Version' /path/to/wordpress/wp-content/themes/pressmart/style.css

Additionally, monitoring web server logs for suspicious payloads that attempt PHP Object Injection patterns or using the mitigation rule provided by Patchstack to block attack attempts can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the PressMart theme to version 1.2.27 or later, as this update contains the fix for the PHP Object Injection vulnerability.

Until the update can be applied, Patchstack has provided a mitigation rule to block attacks exploiting this vulnerability. Applying this rule on your web application firewall or intrusion prevention system can help prevent exploitation.

It is also recommended to monitor your systems for any signs of exploitation and restrict access where possible to reduce the attack surface.

Compliance Impact

The provided information does not specify how the PHP Object Injection vulnerability in PressMart versions 1.2.26 and below directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart