How is CVE-2026-40736 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress site via HTTP/HTTPS to deliver a malicious serialized payload. Authentication (not-required): No account or session token is needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): The attacker sends a crafted request directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is rated High complexity, meaning success depends on environmental factors such as which PHP classes (gadget chains) are present in the target application's dependency tree.

What is the impact of CVE-2026-40736?

A successful attacker can read sensitive server-side data including configuration files, credentials, and stored user records. An attacker can modify application data or files on disk, depending on available PHP gadget chains in the environment. The attacker can crash or destabilize the PHP process, causing service disruption for site visitors and administrators. The combination of high Confidentiality, Integrity, and Availability impact means full compromise of the WordPress instance is within scope if a suitable gadget chain exists.

Back to search

HIGHCVE-2026-40736Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40736: WordPress Laurits theme <= 1.5.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-40736?

PHP Object Injection is a vulnerability in the Laurits WordPress theme (versions 1.5.1 and earlier) where attacker-controlled data is passed to PHP's unserialize() function without validation. The flaw is reachable over the network with no authentication required, though exploitation involves some environmental complexity. A successful attacker can read sensitive data, tamper with application content, and crash the affected service, depending on which PHP classes are available in the target environment. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

Q: Is CVE-2026-40736 patched?

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Edge-Themes ships a remediated release. Until then, customers can apply compensating controls such as network-policy isolation of affected WordPress instances and web-application firewall rules that block serialized PHP payloads at the perimeter.

Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the Laurits WordPress theme (versions 1.5.1 and earlier) where attacker-controlled data is passed to PHP's unserialize() function without validation. The flaw is reachable over the network with no authentication required, though exploitation involves some environmental complexity. A successful attacker can read sensitive data, tamper with application content, and crash the affected service, depending on which PHP classes are available in the target environment. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-40736 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the Laurits theme.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.1 HIGH (CVSS v3.1) and weighting it against each environment's compliance policy to surface appropriate priority; triage alerts are routable to the correct team or inbox within each customer organization based on configured policy.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Edge-Themes ships a remediated release. Until then, customers can apply compensating controls such as network-policy isolation of affected WordPress instances and web-application firewall rules that block serialized PHP payloads at the perimeter.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress site via HTTP/HTTPS to deliver a malicious serialized payload.
AuthenticationNot required
No account or session token is needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
The attacker sends a crafted request directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is rated High complexity, meaning success depends on environmental factors such as which PHP classes (gadget chains) are present in the target application's dependency tree.

Blast Radius

A successful attacker can read sensitive server-side data including configuration files, credentials, and stored user records.
An attacker can modify application data or files on disk, depending on available PHP gadget chains in the environment.
The attacker can crash or destabilize the PHP process, causing service disruption for site visitors and administrators.
The combination of high Confidentiality, Integrity, and Availability impact means full compromise of the WordPress instance is within scope if a suitable gadget chain exists.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40736 is active across connected environments as of the CVE publication date, with images containing Laurits theme versions up to 1.5.1 flagged automatically. Because no upstream patch exists, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix version is published. In the interim, recommended compensating controls include isolating affected WordPress containers behind a network policy that restricts inbound access to trusted sources, deploying a web-application firewall rule to reject requests containing serialized PHP data, and auditing PHP dependencies in the image for known deserialization gadget chains that would expand exploitability.

See how HarborGuard automates this

Affected packages

Edge-Themes / Laurits
≤ 1.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified