How is CVE-2026-40746 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic. Authentication (required): A low-privilege WordPress account (subscriber role or equivalent) is sufficient; no administrative credentials are needed. Victim interaction (not-required): No victim interaction is required; the attacker sends the malicious file upload request directly without any social-engineering step. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental prerequisites.

What is the impact of CVE-2026-40746?

Attacker uploads a server-side script (such as a PHP webshell) and executes arbitrary commands on the hosting server. Full contents of the WordPress database become readable, including user credentials, session tokens, and any stored customer or order data. Attacker can overwrite, delete, or inject content into any file the web server process has write access to, including theme and plugin files. The hosting environment can be taken fully offline or repurposed as a foothold for lateral movement into adjacent services on the same infrastructure.

Back to search

CRITICALCVE-2026-40746Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40746: WordPress Restaurant Zone theme <= 0.7.8 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-40746?

An arbitrary file upload vulnerability exists in the Restaurant Zone WordPress theme (versions 0.7.8 and earlier), reachable over the network by any authenticated subscriber-level user. An attacker with a low-privilege WordPress account can upload malicious files, such as server-side scripts, to the target host without restriction. Successful exploitation enables full remote code execution, complete data disclosure, data tampering, and service disruption. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment a fix is released.

Q: Is CVE-2026-40746 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without any manual intervention once a fix becomes available.

Subscriber Arbitrary File Upload in Restaurant Zone <= 0.7.8 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability exists in the Restaurant Zone WordPress theme (versions 0.7.8 and earlier), reachable over the network by any authenticated subscriber-level user. An attacker with a low-privilege WordPress account can upload malicious files, such as server-side scripts, to the target host without restriction. Successful exploitation enables full remote code execution, complete data disclosure, data tampering, and service disruption. No upstream fix has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-40746 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Restaurant Zone theme. Any image carrying a vulnerable version of the theme is flagged automatically in the customer's registry and CI pipeline.

Available

Triage

HarborGuard scores this CVE at 9.9 CRITICAL using the published CVSS v3.1 vector and applies per-environment compliance policy weighting to prioritize triage queues appropriately. Findings are routed to the right team inbox within each customer organization based on image ownership and severity thresholds configured in their policy.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without any manual intervention once a fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via standard HTTP/HTTPS traffic.
AuthenticationRequired
A low-privilege WordPress account (subscriber role or equivalent) is sufficient; no administrative credentials are needed.
Victim interactionNot required
No victim interaction is required; the attacker sends the malicious file upload request directly without any social-engineering step.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental prerequisites.

Blast Radius

Attacker uploads a server-side script (such as a PHP webshell) and executes arbitrary commands on the hosting server.
Full contents of the WordPress database become readable, including user credentials, session tokens, and any stored customer or order data.
Attacker can overwrite, delete, or inject content into any file the web server process has write access to, including theme and plugin files.
The hosting environment can be taken fully offline or repurposed as a foothold for lateral movement into adjacent services on the same infrastructure.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no gap in coverage despite the absence of an upstream fix. Every ingest cycle re-checks the Patchstack advisory feed so that the moment a patched release is published, a rebuilt image at the fixed version becomes available and auto-remediation customers receive the rebuild, regression test run, and a PR opened against affected workloads. In the meantime, compensating controls are worth applying: network policy rules can restrict inbound access to WordPress admin and subscriber-facing upload endpoints; egress filtering on the container can limit what a webshell can reach if one is uploaded; and disabling or replacing the Restaurant Zone theme with a patched alternative removes the attack surface entirely where operationally feasible. Given the CRITICAL severity (9.9), images containing this theme should be treated as high-priority findings regardless of auto-remediation status.

See how HarborGuard automates this

Affected packages

themagnifico52 / Restaurant Zone
≤ 0.7.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified