How is CVE-2026-40750 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS. Authentication (required): A low-privilege WordPress account (such as a subscriber or customer role) is sufficient to trigger the upload; no administrator credentials are needed. Victim interaction (not-required): The attacker operates entirely on their own; no other user needs to click a link or perform any action for exploitation to succeed. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required to reproduce the upload.

What is the impact of CVE-2026-40750?

Attacker uploads a web shell and gains remote code execution on the host server, enabling arbitrary operating-system command execution under the web server process identity. All files readable by the web server process are exposed, including WordPress configuration files that contain database credentials and secret keys. The attacker can write, modify, or delete any file accessible to the web server, including theme files, plugins, and uploaded customer media. The hosting environment can be taken offline entirely by overwriting or deleting critical application files, causing full service disruption for the storefront.

Back to search

CRITICALCVE-2026-40750Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40750: WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-40750?

An unrestricted file upload vulnerability in the WordPress 'Kids Online Store' theme (versions up to and including 0.8.9) allows an authenticated attacker to upload arbitrary files, including server-side web shells, directly to the web server. The vulnerability is reachable over the network and requires only a low-privilege account, meaning any registered WordPress user can trigger it. Successful exploitation gives an attacker full remote code execution on the hosting server, with high impact to confidentiality, integrity, and availability. No upstream patch has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-40750 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in the WordPress 'Kids Online Store' theme (versions up to and including 0.8.9) allows an authenticated attacker to upload arbitrary files, including server-side web shells, directly to the web server. The vulnerability is reachable over the network and requires only a low-privilege account, meaning any registered WordPress user can trigger it. Successful exploitation gives an attacker full remote code execution on the hosting server, with high impact to confidentiality, integrity, and availability. No upstream patch has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-40750 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle this theme.

Available

Triage

HarborGuard scores this CVE at 9.9 CRITICAL (CVSS v3.1) and is capable of weighting that score against each customer's per-environment compliance policy to determine breach threshold and urgency routing, directing alerts to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory and NVD record on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP/HTTPS.
AuthenticationRequired
A low-privilege WordPress account (such as a subscriber or customer role) is sufficient to trigger the upload; no administrator credentials are needed.
Victim interactionNot required
The attacker operates entirely on their own; no other user needs to click a link or perform any action for exploitation to succeed.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required to reproduce the upload.

Blast Radius

Attacker uploads a web shell and gains remote code execution on the host server, enabling arbitrary operating-system command execution under the web server process identity.
All files readable by the web server process are exposed, including WordPress configuration files that contain database credentials and secret keys.
The attacker can write, modify, or delete any file accessible to the web server, including theme files, plugins, and uploaded customer media.
The hosting environment can be taken offline entirely by overwriting or deleting critical application files, causing full service disruption for the storefront.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40750 as of the publication date, HarborGuard monitors the Patchstack advisory and NVD record on every ingest cycle so the gap between upstream fix publication and available patched rebuild is minimized. In the meantime, recommended compensating controls include applying network-policy rules that restrict inbound access to WordPress upload endpoints (wp-admin/async-upload.php and similar), enforcing strict egress filtering to limit outbound connections from the web server container, and, where the theme's upload feature is not actively needed, disabling it via a feature flag or capability filter in WordPress. For customers who opt into auto-remediation, a rebuilt image incorporating the upstream fix, a regression test run, and a PR opened against affected workloads will be triggered automatically as soon as a fix version is published.

See how HarborGuard automates this

Affected packages

themagnifico52 / Kids Online Store
≤ 0.8.9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified