CVE-2026-39539 Edge-Themes CVE debrief

Who should care

Administrators and users of the Alloggio - Hotel Booking WordPress theme, version 2.1.2 or earlier, should be aware of this vulnerability and take immediate action to mitigate the risk.

Technical summary

The vulnerability is caused by a lack of proper input validation and sanitization in the Alloggio - Hotel Booking WordPress theme. This allows an unauthenticated attacker to inject malicious PHP objects, potentially leading to arbitrary code execution. The vulnerability has been assigned a CVSS score of 8.1 and a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

high

Recommended defensive actions

• Update the Alloggio - Hotel Booking WordPress theme to a version that is not vulnerable.
• Use a Web Application Firewall (WAF) to detect and prevent attacks.
• Monitor the system for suspicious activity.
• Implement additional security measures, such as two-factor authentication.
• Regularly update and patch the system.
• Use secure protocols for communication.
• Limit access to sensitive areas of the system.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The vulnerability was published on June 17, 2026, and last modified on the same day. The CVSS score and vector were provided by the NVD.

Official resources