How is CVE-2026-40749 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-accessible host without needing local or physical access. Authentication (required): A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed, but unauthenticated access alone is not enough. Victim interaction (not-required): No user interaction is required; the attacker can complete the exploit entirely without any action from another user. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

What is the impact of CVE-2026-40749?

An attacker can upload and execute arbitrary server-side code, gaining a persistent foothold on the web server. Full contents of the web application, including stored credentials, user data, and configuration files, become readable to the attacker. An attacker can modify or delete any files and database records accessible to the web server process. The scope is changed (S:C), meaning the impact can extend beyond the WordPress installation itself to other services or containers sharing the host environment.

Back to search

CRITICALCVE-2026-40749Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40749: WordPress Charity Zone theme <= 1.1.1 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-40749?

An arbitrary file upload vulnerability affects the Charity Zone WordPress theme (versions 1.1.1 and earlier). The flaw is reachable over the network and requires only a low-privilege account (subscriber level) to exploit, with no user interaction needed. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected environment, including the ability to upload and execute arbitrary code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-40749 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment themagnifico52 ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Subscriber Arbitrary File Upload in Charity Zone <= 1.1.1 versions.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability affects the Charity Zone WordPress theme (versions 1.1.1 and earlier). The flaw is reachable over the network and requires only a low-privilege account (subscriber level) to exploit, with no user interaction needed. Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected environment, including the ability to upload and execute arbitrary code. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-40749 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Charity Zone theme. Any image at or below version 1.1.1 of the affected theme is flagged automatically.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.9 (Critical) applied to each matched image, weighted against the customer's own compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment themagnifico52 ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from any internet-accessible host without needing local or physical access.
AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrative credentials are needed, but unauthenticated access alone is not enough.
Victim interactionNot required
No user interaction is required; the attacker can complete the exploit entirely without any action from another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

An attacker can upload and execute arbitrary server-side code, gaining a persistent foothold on the web server.
Full contents of the web application, including stored credentials, user data, and configuration files, become readable to the attacker.
An attacker can modify or delete any files and database records accessible to the web server process.
The scope is changed (S:C), meaning the impact can extend beyond the WordPress installation itself to other services or containers sharing the host environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40749 is active and will flag any image bundling Charity Zone at version 1.1.1 or earlier. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment themagnifico52 publishes a remediated version. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include applying network-policy rules to restrict inbound access to the WordPress upload endpoints, enforcing egress filtering to limit post-exploitation callback paths, and auditing subscriber-level account registrations to reduce the pool of accounts that could be weaponized. The Critical severity rating (9.9) means this advisory should be treated as high priority for any environment running the affected theme.

See how HarborGuard automates this

Affected packages

themagnifico52 / Charity Zone
≤ 1.1.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified