CVE-2026-57724
Themeum · Kirki
A deserialization of untrusted data vulnerability in the Themeum Kirki WordPress plugin allows for PHP object injection.
Executive summary
A critical PHP object injection vulnerability in the Themeum Kirki plugin allows unauthenticated attackers to execute arbitrary code on the host system.
Vulnerability
This is a deserialization of untrusted data (CWE-502) vulnerability that allows unauthenticated attackers to inject malicious PHP objects. Because no authentication is required to trigger this flaw, it can be exploited remotely by any network-accessible user.
Business impact
Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) with the privileges of the web server. Given the CVSS score of 9.8, this vulnerability poses a severe risk of full system compromise, data exfiltration, and potential lateral movement within the hosting environment.
Remediation
Immediate Action: Update the Kirki plugin to the latest available version. If a patch is not yet available, deactivate the plugin until a secure version is released.
Proactive Monitoring: Monitor web server access logs for suspicious serialized strings in GET or POST parameters that may indicate attempts to inject malicious objects.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common object injection payloads and suspicious input patterns.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability is critical and requires immediate attention to prevent unauthorized remote code execution. Administrators should verify their current version of the Kirki plugin and apply updates immediately. If immediate patching is not possible, prioritize the removal or disabling of the vulnerable component to minimize the attack surface.