Select-mes Zermatt Plugin up to 1.6.1 on WordPress deserialization

Summaryinfo

A vulnerability categorized as problematic has been discovered in Select-mes Zermatt Plugin up to 1.6.1 on WordPress. Affected is an unknown function. Such manipulation leads to deserialization. This vulnerability is documented as CVE-2026-39545. The attack can be executed remotely. There is not any exploit available.

Detailsinfo

A vulnerability was found in Select-mes Zermatt Plugin up to 1.6.1 on WordPress and classified as problematic. Affected by this issue is an unknown functionality. The manipulation with an unknown input leads to a deserialization vulnerability. Using CWE to declare the problem leads to CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Unauthenticated PHP Object Injection in Zermatt <= 1.6.1 versions.

The weakness was released by Denver Jackson. The advisory is shared for download at patchstack.com. This vulnerability is handled as CVE-2026-39545 since 04/07/2026. The exploitation is known to be difficult. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 06/17/2026).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• WordPress Plugin

Vendor

• Select-mes

Name

• Zermatt Plugin

Version

• 1.6.0
• 1.6.1

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion