CVE-2026-39554
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Fidalgo

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Fidalgo <= 1.2.2 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39554
EUVD
EUVD-2026-37478
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack fidalgo to 1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39554 is an unauthenticated PHP Object Injection vulnerability found in the WordPress Fidalgo Theme versions 1.2.2 and below.

This flaw allows attackers to inject malicious PHP objects without needing to authenticate, potentially enabling code injection, SQL injection, path traversal, denial of service, and other harmful actions if a suitable Property-Oriented Programming (POP) chain exists.

It is classified under the OWASP Top 10 category A3: Injection and has a high severity score of 8.1, indicating it is highly dangerous and could be exploited on a large scale.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and denial of service attacks.

Because it requires no authentication to exploit, attackers can remotely and easily target vulnerable websites, potentially compromising thousands of sites.

Such exploitation can lead to loss of data integrity, confidentiality, and availability, severely affecting the security and functionality of affected systems.

Mitigation Strategies

Immediate action is advised to mitigate the PHP Object Injection vulnerability in Fidalgo versions 1.2.2 and below.

  • Update the WordPress Fidalgo Theme to version 1.3 or later, which contains the patch for this vulnerability.
  • If updating immediately is not possible, apply mitigation measures provided by Patchstack to block attacks targeting this vulnerability.
Compliance Impact

The vulnerability in the WordPress Fidalgo Theme (versions 1.2.2 and below) is a high-severity PHP Object Injection flaw that can lead to code injection, SQL injection, path traversal, denial of service, and other malicious activities.

Such exploitation risks compromising the confidentiality, integrity, and availability of data, which are core principles in compliance frameworks like GDPR and HIPAA.

If exploited, this vulnerability could lead to unauthorized access or data breaches, potentially causing non-compliance with these regulations due to failure to protect personal or sensitive information.

Therefore, organizations using affected versions should promptly update or mitigate the vulnerability to maintain compliance with common security standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39554. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart