How is CVE-2026-40751 exploited?

Network reachability (required): The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation. Authentication (not-required): No account or session token is needed; the injection can be triggered by an anonymous request. Victim interaction (not-required): The attack is fully server-side and does not require any action from a logged-in user or site visitor. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must identify a suitable POP (property-oriented programming) gadget chain among the PHP classes loaded by the target environment, which depends on what other plugins or libraries are present.

What is the impact of CVE-2026-40751?

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. An attacker can write or modify files on the server, enabling persistent backdoor placement or defacement of site content. An attacker can disrupt availability of the service, for example by deleting critical files or exhausting server resources through crafted object chains. The combination of full confidentiality, integrity, and availability impact means a compromised host can be pivoted into the broader container network if network policies do not isolate the workload.

Back to search

HIGHCVE-2026-40751Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40751: WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-40751?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into dangerous operations. The Ashtanga WordPress theme versions 1.2 and earlier are affected, and the vulnerability is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the affected host, depending on what PHP classes are available in the target environment. HarborGuard is tracking this advisory for patch availability, as no fix version has been published.

Q: Is CVE-2026-40751 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict external access to affected containers.

Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary PHP objects and chain them into dangerous operations. The Ashtanga WordPress theme versions 1.2 and earlier are affected, and the vulnerability is reachable over the network with no authentication required. Successful exploitation gives an attacker full read, write, and availability impact on the affected host, depending on what PHP classes are available in the target environment. HarborGuard is tracking this advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images that include the Ashtanga theme, including custom-built WordPress images. Coverage extends to any image layer where the affected package is installed, not just official base images.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 HIGH using the published CVSS v3.1 vector, and applies per-environment compliance policy weighting to prioritize routing. Findings are delivered to the inbox configured for each customer org, segmented by registry, pipeline, or team as the customer's policy specifies.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict external access to affected containers.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable deserialization endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
AuthenticationNot required
No account or session token is needed; the injection can be triggered by an anonymous request.
Victim interactionNot required
The attack is fully server-side and does not require any action from a logged-in user or site visitor.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must identify a suitable POP (property-oriented programming) gadget chain among the PHP classes loaded by the target environment, which depends on what other plugins or libraries are present.

Blast Radius

A successful attacker can read arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
An attacker can write or modify files on the server, enabling persistent backdoor placement or defacement of site content.
An attacker can disrupt availability of the service, for example by deleting critical files or exhausting server resources through crafted object chains.
The combination of full confidentiality, integrity, and availability impact means a compromised host can be pivoted into the broader container network if network policies do not isolate the workload.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40751, HarborGuard monitors the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues once an upstream fix is available. While no fix exists, HarborGuard recommends applying compensating controls: use network policies to restrict inbound HTTP access to affected WordPress containers to known-good sources only, consider egress filtering to limit what the PHP process can reach if object injection leads to outbound callbacks, and evaluate whether the Ashtanga theme can be temporarily disabled or replaced until a patch is released. Where compliance policy permits, HarborGuard can flag any newly built image containing Ashtanga versions 1.2 or earlier as non-deployable until a fix is confirmed.

See how HarborGuard automates this

Affected packages

Mikado-Themes / Ashtanga
≤ 1.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified