How is CVE-2026-40738 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to deliver a malicious serialized payload. Authentication (not-required): No account or session credentials are needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): No user action is needed on the target site; the attacker sends the payload directly without requiring any click or navigation by a victim. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on specific environmental conditions, memory layout, or the presence of a suitable POP chain in the installed PHP codebase rather than being reliably condition-free.

What is the impact of CVE-2026-40738?

A successful attacker reads arbitrary files and sensitive data from the server, including credentials, keys, and customer records stored on the host. A successful attacker writes or modifies files on the server, enabling persistent backdoors or tampering with application logic. A successful attacker can crash or disable the WordPress service, causing a denial of service for the affected site. If a usable POP chain exists in the installed PHP dependencies, the attacker executes arbitrary operating-system commands on the host.

Back to search

HIGHCVE-2026-40738Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40738: WordPress Eldon theme <= 1.4.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-40738?

PHP Object Injection is a vulnerability where attacker-controlled data is passed to PHP's unserialize() function, causing the application to instantiate arbitrary objects and potentially execute attacker-chosen code. This vulnerability in the Eldon WordPress theme (versions 1.4.1 and earlier) is reachable over the network with no authentication required, and the exploit path involves non-trivial timing or environmental conditions per the CVSS vector. Successful exploitation gives an attacker full read, write, and availability impact against the affected host. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

Q: Is CVE-2026-40738 patched?

No fix version has been published by Edge-Themes for Eldon. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released; for customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability where attacker-controlled data is passed to PHP's unserialize() function, causing the application to instantiate arbitrary objects and potentially execute attacker-chosen code. This vulnerability in the Eldon WordPress theme (versions 1.4.1 and earlier) is reachable over the network with no authentication required, and the exploit path involves non-trivial timing or environmental conditions per the CVSS vector. Successful exploitation gives an attacker full read, write, and availability impact against the affected host. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-40738 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including Patchstack, covering custom-built images that bundle the Eldon theme. Any image in a connected registry or CI pipeline that includes Eldon 1.4.1 or earlier is eligible for flagging.

Available

Triage

HarborGuard is capable of surfacing this CVE with its CVSS 3.1 score of 8.1 (HIGH) weighted against each customer environment's compliance policy, so urgency thresholds and escalation rules are applied per-org. Triage routing is available to direct findings to the appropriate team inbox based on owner tags and policy configuration.

Available

Patch

No fix version has been published by Edge-Themes for Eldon. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released; for customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS to deliver a malicious serialized payload.
AuthenticationNot required
No account or session credentials are needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
No user action is needed on the target site; the attacker sends the payload directly without requiring any click or navigation by a victim.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on specific environmental conditions, memory layout, or the presence of a suitable POP chain in the installed PHP codebase rather than being reliably condition-free.

Blast Radius

A successful attacker reads arbitrary files and sensitive data from the server, including credentials, keys, and customer records stored on the host.
A successful attacker writes or modifies files on the server, enabling persistent backdoors or tampering with application logic.
A successful attacker can crash or disable the WordPress service, causing a denial of service for the affected site.
If a usable POP chain exists in the installed PHP dependencies, the attacker executes arbitrary operating-system commands on the host.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40738 activates immediately on ingestion, flagging any image containing Eldon 1.4.1 or earlier in connected registries and pipelines. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild the moment Edge-Themes publishes a fix; for customers with auto-remediation enabled, that rebuild triggers a regression run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict public HTTP access to WordPress installations where operationally possible, web application firewall rules targeting deserialization payloads, and auditing installed themes and plugins to confirm whether a POP chain is present in the dependency set, which directly affects exploitability under the High attack-complexity rating.

See how HarborGuard automates this

Affected packages

Edge-Themes / Eldon
≤ 1.4.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified