External risk intelligence

Thrive Apprentice Unauthenticated PHP Object Injection

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-49107

A critical unauthenticated PHP Object Injection vulnerability exists in Thrive Apprentice, a WordPress plugin, enabling attackers to potentially compromise systems without authentication. This vulnerability is reachable via the network and could lead to severe data compromise if exploited. Action is needed to determine

Deserialization

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

The vulnerability affects a WordPress plugin, which functions as a web application component. WordPress sites are typically deployed as public-facing web services, making the application's functionality and its plugins' endpoints directly reachable from the internet by design.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical unauthenticated PHP Object Injection vulnerability affecting Thrive Apprentice, a WordPress plugin. The issue allows for potentially severe system compromise without requiring user authentication. The primary concern at this time is to confirm if this technology is in use and, if so, to understand the potential exposure.

  • Allows unauthorized system control.
  • Matters if using Thrive Apprentice.
  • Confirm usage and assess exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending a crafted request to a vulnerable Thrive Apprentice installation. This could allow them to inject malicious PHP objects, potentially leading to complete system compromise.

  • No authentication required.
  • Triggered by specially crafted input.
  • Leads to critical data compromise.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated PHP Object Injection vulnerability in Thrive Apprentice could allow an attacker to execute arbitrary code on the server, leading to a complete compromise of the application and its underlying infrastructure. This is possible when the application deserializes untrusted data, potentially affecting all data processed by the vulnerable component.

  • Server-side code execution.
  • Unauthenticated remote code injection.
  • Full system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated PHP Object Injection vulnerability in Thrive Apprentice affects web applications, likely managed by application owners or platform teams. The immediate priority is to locate all instances of the affected plugin, assess their exposure and business criticality, and identify the accountable owner for remediation.

  • Application owners should lead remediation.
  • Verify plugin instances and reachability.
  • Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49107 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Unauthenticated PHP object injection in Thrive Apprentice can lead to a PCI scan failure due to the severe security risks it presents. This type of vulnerability allows for potential code execution and other malicious attacks.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Thrive Apprentice?

Thrive Apprentice is a WordPress plugin designed for building and managing online courses and membership sites. It allows site owners to create lessons, modules, and protected content directly within their WordPress environment.

What does PHP Object Injection mean for CVE-2026-49107?

This is a vulnerability classified as CWE-502, Deserialization of Untrusted Data. It occurs when the software takes user-provided data and converts it into a complex PHP object without proper validation. Because the application trusts this input, an attacker can manipulate the object's properties to force the application to perform unintended, harmful actions or execute arbitrary code on the server.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a specifically crafted request containing malicious serialized data to a vulnerable Thrive Apprentice installation. Because the vulnerability does not require authentication, the attacker does not need an account or valid credentials to send this input. Standard, legitimate interactions with the plugin's normal course-management features do not trigger this issue.

Is my site at risk according to Halo Surface Signal?

Yes, if you use this plugin, your risk is elevated. Halo Surface Signal notes that because Thrive Apprentice is a WordPress plugin, its endpoints are intended to be reachable over the internet to serve course content to students. This public-facing design makes it a high-priority item for assessment, as the vulnerable component is likely exposed to external network traffic by default.

What should I do if I use Thrive Apprentice?

Your first step is to inventory all WordPress installations in your environment to identify where this plugin is active. Once located, verify the version in use against the affected range. Since this is a critical issue, consult the vendor's official release notes to confirm the availability of a security update and prioritize applying that patch or disabling the plugin until you can update to a secure version.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished