CVE-2026-42380
Deferred Deferred - Pending Action

Unauthenticated PHP Object Injection in AI Lab

Vulnerability report for CVE-2026-42380, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description

Unauthenticated PHP Object Injection in AI Lab < 5.4.2 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-07-08
AI Q&A
2026-06-17
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-42380 is a high-priority PHP Object Injection vulnerability found in WordPress AI Lab Theme versions prior to 5.4.2.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects, potentially leading to code execution, SQL injection, path traversal, denial of service, and other attacks if a suitable POP (Property Oriented Programming) chain exists.

It is classified under OWASP Top 10 A3: Injection and poses a significant risk due to its potential for mass exploitation campaigns targeting thousands of websites.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which can compromise the entire system.

Attackers may also perform SQL injection, leading to data breaches or data manipulation.

Other impacts include path traversal attacks that can expose sensitive files, denial of service conditions that disrupt service availability, and potentially other malicious activities.

Because the vulnerability is exploitable without authentication, it increases the risk of widespread attacks.

Mitigation Strategies

Immediate action is recommended to mitigate this vulnerability.

  • Update the WordPress AI Lab Theme to version 5.4.2 or later, where the vulnerability is patched.
  • If updating immediately is not possible, apply Patchstack's mitigation rule to reduce risk.
Compliance Impact

The provided information does not specify how the CVE-2026-42380 vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability affects WordPress AI Lab Theme versions prior to 5.4.2 and involves unauthenticated PHP Object Injection. Detection primarily involves identifying if the vulnerable theme version is in use.

To detect the vulnerability on your system, you can check the installed version of the AI Lab WordPress theme. For example, you can use WP-CLI commands or inspect the theme files directly.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually check the style.css file in the AI Lab theme directory for the version number.

If the version is below 5.4.2, the system is vulnerable. Since this is an unauthenticated PHP Object Injection, network detection might involve monitoring for suspicious HTTP requests targeting the theme endpoints, but no specific detection commands or signatures are provided.

Immediate mitigation is recommended by updating the theme to version 5.4.2 or later or applying Patchstack's mitigation rule if updating is not possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart