How is CVE-2026-40731 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic. Authentication (not-required): No account or session credentials are needed; the attacker can trigger the vulnerability as an unauthenticated visitor. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit is executed entirely by the attacker without victim participation. Attack complexity (info): Attack complexity is rated High, meaning the exploit is not condition-free and requires the attacker to meet specific environmental factors or timing constraints beyond the attacker's direct control.

What is the impact of CVE-2026-40731?

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. Gains write or modification capability against application data or server-side files, depending on file inclusion payload and server configuration. Can crash or destabilize the affected service, causing a disruption in availability for the WordPress site and any services it supports. Chained with a writable upload directory or other secondary condition, the LFI can escalate to remote code execution on the host.

Back to search

HIGHCVE-2026-40731Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40731: WordPress ChapterOne theme <= 1.7 - Local File Inclusion vulnerability

Q: What is CVE-2026-40731?

This is a Local File Inclusion (LFI) vulnerability in the ChapterOne WordPress theme by Mikado-Themes, affecting all versions up to and including 1.7. The flaw is reachable over the network with no authentication required, though exploitation requires meeting specific environmental conditions. A successful attacker can read arbitrary files from the server, modify data, and disrupt service availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-40731 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mikado-Themes ships a remediated version. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to limit exposure.

Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a Local File Inclusion (LFI) vulnerability in the ChapterOne WordPress theme by Mikado-Themes, affecting all versions up to and including 1.7. The flaw is reachable over the network with no authentication required, though exploitation requires meeting specific environmental conditions. A successful attacker can read arbitrary files from the server, modify data, and disrupt service availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the ChapterOne theme. Any image found to carry ChapterOne at version 1.7 or below surfaces as a finding immediately.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Mikado-Themes ships a remediated version. In the interim, customers can apply compensating controls through HarborGuard's network-policy recommendations to limit exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic.
AuthenticationNot required
No account or session credentials are needed; the attacker can trigger the vulnerability as an unauthenticated visitor.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is executed entirely by the attacker without victim participation.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit is not condition-free and requires the attacker to meet specific environmental factors or timing constraints beyond the attacker's direct control.

Blast Radius

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
Gains write or modification capability against application data or server-side files, depending on file inclusion payload and server configuration.
Can crash or destabilize the affected service, causing a disruption in availability for the WordPress site and any services it supports.
Chained with a writable upload directory or other secondary condition, the LFI can escalate to remote code execution on the host.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-40731 is active and will flag any image containing ChapterOne at or below version 1.7 as a HIGH-severity finding. Because Mikado-Themes has not published a fix, no patched-image rebuild is available yet; HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically the moment an upstream patch is released. For customers who opt into auto-remediation, that flow includes a rebuilt image, a regression-test run, and a pull request opened against affected workloads. While no patch exists, recommended compensating controls include applying Kubernetes network policies or web-application firewall rules to restrict inbound request paths that traverse directory separators, and disabling or replacing the ChapterOne theme in any internet-facing environment where the risk cannot be accepted.

See how HarborGuard automates this

Affected packages

Mikado-Themes / ChapterOne
≤ 1.7

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified