CVE-2026-39560
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Hiroshi <= 1.5.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39560
EUVD
EUVD-2026-37689
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
hiroshi hiroshi 1.5.1
patchstack hiroshi to 1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39560 is a high-priority PHP Object Injection vulnerability found in the WordPress Hiroshi Theme versions 1.5.1 and below.

This vulnerability allows attackers to inject malicious PHP objects without needing to authenticate, meaning they do not require prior access to the system.

Exploitation can lead to various attacks such as code injection, SQL injection, path traversal, and denial of service if a suitable Property-Oriented Programming (POP) chain is available.

The vulnerability is classified under OWASP Top 10 A3: Injection, indicating it is a serious security flaw.

Impact Analysis

Exploitation of this vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and service disruption through denial of service attacks.

Because the vulnerability is unauthenticated, attackers can exploit it remotely without any credentials, increasing the risk of widespread attacks.

This can lead to compromise of website integrity, loss of sensitive data, and potential takeover of the affected system.

Detection Guidance

This vulnerability affects the WordPress Hiroshi Theme versions 1.5.1 and below. Detection involves identifying if your system is running these vulnerable versions.

You can check the installed version of the Hiroshi theme by inspecting the theme files or using WordPress CLI commands.

  • Use the WordPress CLI command to list installed themes and their versions: wp theme list
  • Manually check the style.css file in the Hiroshi theme directory for the version number.

Additionally, monitoring for suspicious HTTP requests that attempt PHP Object Injection payloads targeting the Hiroshi theme may help detect exploitation attempts.

Mitigation Strategies

The most immediate and effective mitigation is to update the Hiroshi theme to version 1.6 or later, which contains the patch for this vulnerability.

Until the update can be applied, it is recommended to implement the mitigation rule issued by Patchstack to block attacks exploiting this vulnerability.

Additionally, monitor your systems for any signs of exploitation attempts and restrict access where possible to reduce exposure.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform code injection, SQL injection, path traversal, denial of service, and other malicious activities. Such exploits can lead to unauthorized access, data breaches, and system compromise.

These consequences can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring confidentiality, integrity, and availability of systems.

Failure to patch this vulnerability could result in violations of these regulations due to potential data exposure or service disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart