CVE-2026-39567 Select-Themes CVE debrief

Who should care

Administrators and users of the Santé theme for WordPress, especially those with versions <= 1.5.1, should take immediate action to mitigate this high-severity vulnerability.

Technical summary

CVE-2026-39567 is a high-severity vulnerability in the Santé theme for WordPress, allowing unauthenticated PHP object injection. The vulnerability has a CVSS score of 8.1 and is tracked by CVE.org and NVD. The affected versions are <= 1.5.1. The vulnerability was reported by Patchstack. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

high

Recommended defensive actions

• Update the Santé theme to a version greater than 1.5.1
• Restrict access to the Santé theme's files and directories
• Implement a web application firewall (WAF) to detect and prevent attacks
• Monitor the Santé theme's logs for suspicious activity
• Consider using a security plugin or service to detect and prevent attacks
• Limit the use of PHP object injection in the Santé theme's code
• Regularly update and patch the Santé theme and other WordPress components

Evidence notes

The vulnerability was reported by Patchstack and is tracked by CVE.org and NVD. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected versions are <= 1.5.1.

Official resources