Unauthenticated PHP Object Injection in NeoBeat Theme by Patchstack
CVE-2026-39557

8.1HIGH

Key Information:

Vendor: WordPress
Status: Neobeat
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-39557?

The NeoBeat theme for WordPress introduces a security vulnerability that allows for unauthenticated PHP Object Injection. This weakness can enable attackers to manipulate PHP objects, potentially leading to unauthorized access or data manipulation within affected versions. Users of NeoBeat theme versions up to 1.7 should assess their exposure and apply appropriate updates or mitigations to safeguard their WordPress installations.

Affected Version(s)

NeoBeat <= 1.7

References

https://patchstack.com/database/wordpress/theme/neobeat/v...

vdb-entry

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Denver Jackson | Patchstack Bug Bounty Program

CVE-2026-39557 Data

JSON