How is CVE-2026-40739 exploited?

Network reachability (required): The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation. Authentication (not-required): No account or session token is needed; the injection can be triggered by an unauthenticated request. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit is entirely server-side. Attack complexity (info): Attack complexity is rated High, meaning exploitation depends on environmental factors such as the presence of a suitable PHP class chain (gadget chain) in the runtime; the exploit is not reliably condition-free.

What is the impact of CVE-2026-40739?

A successful attacker can read arbitrary files and data accessible to the PHP process, including WordPress database credentials and stored user session tokens. The attacker can write or modify files on the server, enabling persistent backdoor installation or defacement of site content. Depending on the available gadget chain, the attacker may achieve remote code execution on the host running the WordPress application. The exploit can crash or destabilize the PHP runtime through destructors in the gadget chain, causing service disruption for the affected site.

Back to search

HIGHCVE-2026-40739Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40739: WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-40739?

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function without validation, allowing the attacker to instantiate arbitrary PHP objects and potentially chain them into destructive operations. This vulnerability in the LuxeDrive WordPress theme (versions 1.4 and below) is reachable over the network and requires no authentication or user interaction. Successful exploitation gives an attacker full read, write, and availability impact against the affected host, depending on what PHP classes are available in the runtime environment. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-40739 patched?

Because no fix version has been published for CVE-2026-40739, HarborGuard re-evaluates the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Mikado-Themes ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-supplied data is passed to PHP's unserialize() function without validation, allowing the attacker to instantiate arbitrary PHP objects and potentially chain them into destructive operations. This vulnerability in the LuxeDrive WordPress theme (versions 1.4 and below) is reachable over the network and requires no authentication or user interaction. Successful exploitation gives an attacker full read, write, and availability impact against the affected host, depending on what PHP classes are available in the runtime environment. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-40739 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the LuxeDrive theme alongside WordPress, not only upstream base images.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect local risk tolerance and regulatory context. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published for CVE-2026-40739, HarborGuard re-evaluates the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Mikado-Themes ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an unauthenticated request.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is entirely server-side.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation depends on environmental factors such as the presence of a suitable PHP class chain (gadget chain) in the runtime; the exploit is not reliably condition-free.

Blast Radius

A successful attacker can read arbitrary files and data accessible to the PHP process, including WordPress database credentials and stored user session tokens.
The attacker can write or modify files on the server, enabling persistent backdoor installation or defacement of site content.
Depending on the available gadget chain, the attacker may achieve remote code execution on the host running the WordPress application.
The exploit can crash or destabilize the PHP runtime through destructors in the gadget chain, causing service disruption for the affected site.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40739, HarborGuard continuously monitors the Patchstack and NVD advisory feeds and will trigger a patched-image rebuild the moment Mikado-Themes publishes a fix, with auto-remediation customers receiving a rebuild, regression run, and PR automatically. In the interim, HarborGuard surfaces this finding at HIGH severity across any image that bundles LuxeDrive 1.4 or earlier, and customers can apply compensating controls through network-policy isolation (restricting public HTTP access to the WordPress endpoint), web-application firewall rules that block serialized PHP payloads in request bodies, and feature-flag or plugin-manager gating to disable theme-specific deserialization code paths where the application architecture permits. Where compliance policy permits automated responses, affected images can be flagged for immediate rebuild freeze until a clean base is available.

See how HarborGuard automates this

Affected packages

Mikado-Themes / LuxeDrive
≤ 1.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified