CVE-2026-39555
Deferred Deferred - Pending Action

Deserialization of Untrusted Data in Askka Allows Object Injection

Vulnerability report for CVE-2026-39555, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: Patchstack

Description

Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. This issue affects Askka: from n/a through 1.3.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-07-13
AI Q&A
2026-06-02
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
elated_themes askka to 1.3.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-39555 is a high-priority PHP Object Injection vulnerability found in the WordPress Askka Theme versions 1.3.1 and below. It allows attackers to inject malicious objects through deserialization of untrusted data, potentially enabling code execution, SQL injection, path traversal, denial of service, and other harmful actions if a suitable POP (Property Oriented Programming) chain exists.

This vulnerability is unauthenticated, meaning attackers do not need any prior access to exploit it. It is classified under OWASP Top 10 A3: Injection, highlighting its severity and risk.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which could lead to complete compromise of the affected website.

  • Execution of arbitrary code by attackers.
  • SQL injection attacks that could expose or manipulate database information.
  • Path traversal attacks potentially allowing access to sensitive files.
  • Denial of service attacks that could disrupt website availability.

Because the flaw is unauthenticated and can be exploited remotely, it poses a high risk of mass exploitation across many websites using the vulnerable theme.

Detection Guidance

This vulnerability affects the WordPress Askka Theme versions 1.3.1 and below. Detection involves identifying if your system is running a vulnerable version of the Askka theme.

You can check the installed version of the Askka theme by running commands to inspect the theme files or querying the WordPress installation.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually inspect the style.css file in the Askka theme directory (usually wp-content/themes/askka/) for the version number.
  • Monitor network traffic for suspicious payloads that could indicate PHP Object Injection attempts, although specific detection commands are not provided.
Mitigation Strategies

Immediate mitigation steps include updating the Askka theme to version 1.4 or later, which contains the patch for this vulnerability.

If updating immediately is not possible, apply Patchstack's mitigation rule to block attacks targeting this vulnerability until the update can be completed.

Because the vulnerability is unauthenticated and highly dangerous, rapid action is critical to prevent exploitation.

Compliance Impact

The vulnerability in the WordPress Askka Theme (CVE-2026-39555) allows unauthenticated attackers to perform code injection, SQL injection, path traversal, denial of service, and other malicious activities. Such exploitation could lead to unauthorized access, data breaches, or disruption of services.

These risks can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, maintaining data integrity, and ensuring availability of services. A successful attack exploiting this vulnerability could result in exposure or loss of protected data, violating these regulatory requirements.

Therefore, failure to promptly patch or mitigate this vulnerability could lead to non-compliance with such standards due to potential data breaches or service disruptions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39555. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart