CVE-2026-40735: WordPress Reina theme <= 2.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Reina <= 2.1 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection is an unauthenticated remote vulnerability affecting the Reina WordPress theme (versions 2.1 and earlier), developed by Edge-Themes. The flaw is exploitable over the network without any login credentials, though certain environmental conditions must align for the attack to succeed. Successful exploitation gives an attacker full read, write, and crash capability over the affected site. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images that bundle the Reina theme.
AvailableHarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each customer org's compliance policy to determine urgency and ownership routing, sending the finding to the team or inbox configured for that environment.
AvailableNo fix version has been published by Edge-Themes for the Reina theme as of the CVE publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release; for customers with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; there is no requirement for local or physical access.
- AuthenticationNot required
No account or session token is needed; the injection point is accessible to unauthenticated HTTP requests.
- Victim interactionNot required
The attack is fully server-side and does not require any action from a logged-in user or administrator.
- Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker depends on specific environmental conditions such as a suitable POP chain being present in the loaded PHP class context, making reliable exploitation conditional rather than straightforward.
Blast Radius
- A successful attacker can read arbitrary files and sensitive data stored on the server, including WordPress database credentials and session secrets.
- An attacker can write or modify files on the server by invoking deserialization gadget chains that trigger filesystem operations, enabling backdoor placement or content tampering.
- The service can be crashed or rendered unavailable by triggering destructors or error states through the injected object graph.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged on every scan of images that include the Reina theme at version 2.1 or earlier, giving teams immediate visibility into affected workloads. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle. In the meantime, teams can apply compensating controls such as network-policy rules that restrict unauthenticated external access to the WordPress installation, web application firewall rules that block serialized PHP payloads in request input, and disabling or replacing the theme where feasible. The moment Edge-Themes publishes a fix, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, that triggers an automated rebuild, regression test run, and a PR opened against affected workloads.
- Edge-Themes / Reina≤ 2.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H