Deserialization of Untrusted Data in Themify Popup by Themify
CVE-2026-56037

8.8HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
2 July 2026

What is CVE-2026-56037?

A vulnerability exists in Themify Popup, where an attacker may exploit deserialization of untrusted data to perform object injection. This flaw affects versions from n/a to 1.4.3, potentially allowing unauthorized manipulation of application functionality or execution of arbitrary code.

Affected Version(s)

Themify Popup <= 1.4.3

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

0xd4rk5id3 | Patchstack Bug Bounty Program
.