How is CVE-2026-40733 exploited?

Network reachability (required): The vulnerable endpoint is reachable over the network, so an attacker must be able to send HTTP requests to the WordPress installation. Authentication (not-required): No account or session token is needed; the injection can be triggered by an unauthenticated request. Victim interaction (not-required): No user action or social-engineering step is needed; the attacker sends the payload directly to the application. Attack complexity (info): Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as the presence of a suitable PHP gadget chain within the installed plugin or theme codebase.

What is the impact of CVE-2026-40733?

A successful attacker can read confidential data stored by WordPress, including user credentials, session tokens, and any customer records held in the database. An attacker can modify or delete persisted database rows, altering site content, injecting malicious scripts, or destroying data. Where a usable PHP gadget chain exists in the environment, an attacker can achieve remote code execution, running arbitrary commands inside the container.

Back to search

HIGHCVE-2026-40733Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40733: WordPress ShiftUp theme <= 1.3 - PHP Object Injection vulnerability

Q: What is CVE-2026-40733?

PHP Object Injection is a vulnerability class where an attacker sends crafted serialized data to an application, tricking it into instantiating arbitrary PHP objects and executing unintended logic. The ShiftUp WordPress theme (versions 1.3 and below) contains this flaw, reachable over the network without any authentication. Depending on other code present in the WordPress installation, successful exploitation can lead to full data disclosure, data tampering, or remote code execution. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

Q: Is CVE-2026-40733 patched?

Because no fix version has been published for CVE-2026-40733, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the interim, compensating controls such as network-policy isolation of WordPress workloads and web-application firewall rules blocking malformed serialized payloads are surfaced as actionable recommendations within the platform.

Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability class where an attacker sends crafted serialized data to an application, tricking it into instantiating arbitrary PHP objects and executing unintended logic. The ShiftUp WordPress theme (versions 1.3 and below) contains this flaw, reachable over the network without any authentication. Depending on other code present in the WordPress installation, successful exploitation can lead to full data disclosure, data tampering, or remote code execution. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-40733 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the ShiftUp theme. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 HIGH and weighting it further against each customer environment's compliance policy, for example stricter handling under PCI-DSS or SOC 2 profiles. Triage results are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-40733, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the interim, compensating controls such as network-policy isolation of WordPress workloads and web-application firewall rules blocking malformed serialized payloads are surfaced as actionable recommendations within the platform.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is reachable over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an unauthenticated request.
Victim interactionNot required
No user action or social-engineering step is needed; the attacker sends the payload directly to the application.
Attack complexityDetail
Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as the presence of a suitable PHP gadget chain within the installed plugin or theme codebase.

Blast Radius

A successful attacker can read confidential data stored by WordPress, including user credentials, session tokens, and any customer records held in the database.
An attacker can modify or delete persisted database rows, altering site content, injecting malicious scripts, or destroying data.
Where a usable PHP gadget chain exists in the environment, an attacker can achieve remote code execution, running arbitrary commands inside the container.

How HarborGuard Handles This

Available on HarborGuard: because no patched version of ShiftUp exists at this time, the platform monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once an upstream fix is published. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While no patch is available, HarborGuard surfaces compensating-control recommendations including Kubernetes NetworkPolicy rules to restrict inbound traffic to WordPress workloads, egress filtering to limit outbound connections from compromised containers, and WAF rule suggestions targeting malformed PHP serialized payloads. Customers can also use HarborGuard policy gates to block promotion of images containing ShiftUp 1.3 or below to production until the vulnerability is resolved.

See how HarborGuard automates this

Affected packages

Mikado-Themes / ShiftUp
≤ 1.3

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified