CVE-2026-39573
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Mildhill

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Mildhill <= 1.5 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-39573
EUVD
EUVD-2026-37676
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack mildhill to 1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39573 is a high-priority PHP Object Injection vulnerability found in the WordPress Mildhill Theme versions 1.5 and below.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects, which can lead to code execution, SQL injection, path traversal, or denial of service attacks if a suitable POP (Property Oriented Programming) chain exists.

The vulnerability has a CVSS score of 8.1, indicating a high level of severity.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution, which may allow attackers to take control of the affected system.

  • Execution of arbitrary code
  • SQL injection leading to data compromise
  • Path traversal attacks potentially exposing sensitive files
  • Denial of service attacks causing service disruption

Because the vulnerability is exploitable without authentication, it poses a significant risk to any site using the vulnerable theme version.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Mildhill Theme to version 1.6 or later, as this version contains the patch for the PHP Object Injection vulnerability.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Compliance Impact

The vulnerability allows unauthenticated PHP Object Injection, which can lead to code execution, SQL injection, path traversal, or denial of service attacks. Such exploits can compromise the confidentiality, integrity, and availability of data.

This level of risk and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system security to prevent unauthorized access or data breaches.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to potential unauthorized data access or disruption of services.

Detection Guidance

The vulnerability affects WordPress Mildhill Theme versions 1.5 and below, allowing unauthenticated PHP Object Injection. Detection involves identifying if the vulnerable theme version is in use.

To detect this vulnerability on your system, you can check the installed version of the Mildhill theme in your WordPress installation.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually check the style.css file in wp-content/themes/mildhill/ for the version number.

Additionally, network detection can involve monitoring for attack patterns or blocking attempts using the mitigation rule provided by Patchstack until the theme is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39573. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart