CVE-2026-57744
Received Received - Intake

Deserialization of Untrusted Data in RT-Theme 18 Extensions

Vulnerability report for CVE-2026-57744, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Deserialization of Untrusted Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Object Injection.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
patchstack rt18-extensions to 2.5 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57744 is a vulnerability in the WordPress RT-Theme 18 | Extensions Plugin versions 2.5 and below that allows PHP Object Injection through deserialization of untrusted data.

This flaw enables attackers to inject malicious objects into the application, potentially leading to code execution, SQL injection, path traversal, denial of service, or other harmful actions if a suitable Property-Oriented Programming (POP) chain exists.

The vulnerability is unauthenticated, meaning attackers do not need valid user credentials to exploit it, making it highly dangerous and likely to be targeted in widespread attacks.

Impact Analysis

Exploitation of this vulnerability can lead to severe impacts including remote code execution, unauthorized database access via SQL injection, file system access through path traversal, denial of service, and other malicious activities.

Because the vulnerability requires no authentication, attackers can easily exploit it to compromise affected WordPress websites, potentially leading to data breaches, website defacement, service outages, or full system compromise.

Mitigation Strategies

The vulnerability affects WordPress RT-Theme 18 | Extensions Plugin versions 2.5 and below and allows unauthenticated PHP Object Injection attacks.

As there is no official patch available yet, immediate mitigation steps include:

  • Update the plugin immediately to a version above 2.5 if available.
  • If updating is not possible, apply temporary mitigation rules provided by Patchstack to block attacks.
  • Seek assistance from your hosting provider or web developer to implement these mitigations.
  • Consider using automated vulnerability mitigation solutions offered by Patchstack to protect your website until an official fix is released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart