CVE-2026-57744

stmcan · RT-Theme 18 | Extensions

A deserialization of untrusted data vulnerability in the stmcan RT-Theme 18 | Extensions WordPress plugin allows for PHP object injection.

Executive summary

A critical PHP object injection vulnerability in the RT-Theme 18 | Extensions plugin allows unauthenticated attackers to execute arbitrary code.

Vulnerability

This vulnerability involves the insecure deserialization of untrusted data (CWE-502). The plugin fails to properly validate input before passing it to deserialization functions, allowing unauthenticated attackers to inject malicious objects.

Business impact

With a CVSS score of 9.8, the potential for total system compromise is high. Successful exploitation could lead to data theft, unauthorized modification of site content, and potential backdooring of the server, resulting in significant business disruption.

Remediation

Immediate Action: Update the RT-Theme 18 | Extensions plugin to the latest version immediately. If no update is provided by the vendor, deactivate the plugin.

Proactive Monitoring: Monitor server logs for unusual request patterns and database queries that deviate from standard operational behavior.

Compensating Controls: Implement WAF rules to detect and drop requests that contain serialized PHP objects, effectively mitigating the exploit vector until the plugin is patched.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability presents a critical risk to the integrity and confidentiality of the affected WordPress site. Administrators must prioritize the update to the latest plugin version and conduct a review of the site's security posture to ensure no prior exploitation has occurred.