CVE-2026-39545 Select-Themes CVE debrief

Who should care

Administrators and users of the Zermatt theme version 1.6.1 or lower should be concerned about this vulnerability. Given its high severity and potential for significant impact, immediate attention is required to secure affected installations.

Technical summary

CVE-2026-39545 is a PHP object injection vulnerability in the Zermatt theme for WordPress, affecting versions up to 1.6.1. This vulnerability is rated with a CVSS score of 8.1, indicating high severity. The vulnerability allows unauthenticated attackers to inject PHP objects, potentially leading to code execution, data breaches, and other malicious activities. The Common Weakness Enumeration (CWE) associated with this vulnerability is CWE-502, which relates to the deserialization of untrusted data.

Defensive priority

High

Recommended defensive actions

• Update the Zermatt theme to a version that is not vulnerable (if available).
• Restrict access to the Zermatt theme's files and directories to prevent unauthorized access.
• Implement a Web Application Firewall (WAF) to detect and block suspicious traffic.
• Regularly monitor the Zermatt theme's logs for signs of exploitation.
• Consider using a security plugin or service to detect and mitigate vulnerabilities.
• Limit the use of PHP object serialization and deserialization in the Zermatt theme.
• Review the Zermatt theme's code for any suspicious or vulnerable patterns.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages provide official information about the vulnerability, while Patchstack offers additional context and potential mitigations.

Official resources