How is CVE-2026-40752 exploited?

Network reachability (required): The vulnerability is reachable over the network; the attacker must be able to send HTTP requests to the WordPress installation running the affected theme. Authentication (not-required): No account or session credentials are needed; the injection vector is accessible to unauthenticated requests. Victim interaction (not-required): Exploitation is fully server-side; no user action such as clicking a link or loading a page is required from any victim. Attack complexity (info): Attack complexity is rated High, meaning the attacker must account on environmental factors such as the presence of a suitable PHP gadget chain in the application's dependency set; the exploit is not reliably condition-free.

What is the impact of CVE-2026-40752?

An attacker with a working gadget chain can read arbitrary files on the server, including WordPress configuration files containing database credentials and secret keys. Object manipulation can overwrite or delete persisted files and database records accessible to the PHP process. Depending on available gadgets, the attacker may achieve remote code execution, running arbitrary commands under the web server process account. Service availability can be disrupted by triggering destructors or error states that crash the PHP process or exhaust server resources.

Back to search

HIGHCVE-2026-40752Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40752: WordPress Manufaktur Solutions theme <= 1.1.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-40752?

PHP Object Injection is a vulnerability class where attacker-controlled input is passed to PHP's unserialize() function, allowing attackers to manipulate application objects and trigger unintended code paths. This vulnerability in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) is reachable over the network with no authentication required, though exploitation requires meeting specific environmental conditions. Successful exploitation gives the attacker full read, write, and availability impact over the affected system, depending on available PHP gadget chains in the environment. No fix version has been published; HarborGuard tracks this advisory for patch availability.

Q: Is CVE-2026-40752 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to limit exposure of affected workloads.

Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability class where attacker-controlled input is passed to PHP's unserialize() function, allowing attackers to manipulate application objects and trigger unintended code paths. This vulnerability in the Manufaktur Solutions WordPress theme (versions 1.1.1 and earlier) is reachable over the network with no authentication required, though exploitation requires meeting specific environmental conditions. Successful exploitation gives the attacker full read, write, and availability impact over the affected system, depending on available PHP gadget chains in the environment. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-40752 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including Patchstack and NVD. Coverage extends to custom-built WordPress images that bundle the Manufaktur Solutions theme, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.1 HIGH using the CVSS v3.1 vector and weighting it further against each customer org's compliance policy to determine urgency. Triage routing is available to surface findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is released upstream. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to limit exposure of affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; the attacker must be able to send HTTP requests to the WordPress installation running the affected theme.
AuthenticationNot required
No account or session credentials are needed; the injection vector is accessible to unauthenticated requests.
Victim interactionNot required
Exploitation is fully server-side; no user action such as clicking a link or loading a page is required from any victim.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must account on environmental factors such as the presence of a suitable PHP gadget chain in the application's dependency set; the exploit is not reliably condition-free.

Blast Radius

An attacker with a working gadget chain can read arbitrary files on the server, including WordPress configuration files containing database credentials and secret keys.
Object manipulation can overwrite or delete persisted files and database records accessible to the PHP process.
Depending on available gadgets, the attacker may achieve remote code execution, running arbitrary commands under the web server process account.
Service availability can be disrupted by triggering destructors or error states that crash the PHP process or exhaust server resources.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40752 at this time, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment Select-Themes publishes a fix version. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While no patch is available, compensating controls are recommended: network-policy isolation to restrict inbound HTTP access to WordPress instances running this theme, egress filtering to limit what the PHP process can reach, and removal or replacement of the theme where operationally feasible. Customers can configure HarborGuard compliance policies to flag any image containing Manufaktur Solutions theme versions at or below 1.1.1 as non-compliant and block promotion to production registries.

See how HarborGuard automates this

Affected packages

Select-Themes / Manufaktur Solutions
≤ 1.1.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified