How is CVE-2026-40756 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without requiring local or adjacent-network access. Authentication (not-required): No account or credentials of any privilege level are needed; the injection point is reachable by any unauthenticated HTTP request. Victim interaction (not-required): The attacker does not need to involve or trick any user; the attack is executed entirely server-side. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for environmental conditions such as the availability of a suitable PHP gadget chain in the target application's class scope, making reliable exploitation conditional on target configuration.

What is the impact of CVE-2026-40756?

A successful attacker can read sensitive data from the WordPress installation, including database credentials, API keys, and stored user records, depending on the gadget chain available. The attacker can modify or delete persisted data, including WordPress posts, settings, and user account details, if a writable gadget is present. The attacker can crash or destabilize the PHP runtime or web server process, taking the site offline.

Back to search

HIGHCVE-2026-40756Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40756: WordPress Zoya theme <= 1.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-40756?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and trigger unintended code paths. The Zoya WordPress theme (versions 1.4 and below) is affected, and the vulnerability is reachable over the network without any authentication. Depending on what other PHP classes are loaded in the application, successful exploitation can enable full confidentiality loss, data tampering, and service disruption. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

Q: Is CVE-2026-40756 patched?

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-egress restrictions or image-level feature gating, to reduce exposure while the advisory remains open.

Unauthenticated PHP Object Injection in Zoya <= 1.4 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing the attacker to instantiate arbitrary objects and trigger unintended code paths. The Zoya WordPress theme (versions 1.4 and below) is affected, and the vulnerability is reachable over the network without any authentication. Depending on what other PHP classes are loaded in the application, successful exploitation can enable full confidentiality loss, data tampering, and service disruption. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images in registries and CI/CD pipelines, covering custom-built WordPress images that bundle the Zoya theme. Any image layer containing Zoya at or below version 1.4 is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.1 (HIGH), weighted against each environment's compliance policy to prioritize routing. Alerts are directed to the appropriate team inbox within each customer org based on ownership rules configured in the HarborGuard policy engine.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated release appears. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-egress restrictions or image-level feature gating, to reduce exposure while the advisory remains open.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet without requiring local or adjacent-network access.
AuthenticationNot required
No account or credentials of any privilege level are needed; the injection point is reachable by any unauthenticated HTTP request.
Victim interactionNot required
The attacker does not need to involve or trick any user; the attack is executed entirely server-side.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for environmental conditions such as the availability of a suitable PHP gadget chain in the target application's class scope, making reliable exploitation conditional on target configuration.

Blast Radius

A successful attacker can read sensitive data from the WordPress installation, including database credentials, API keys, and stored user records, depending on the gadget chain available.
The attacker can modify or delete persisted data, including WordPress posts, settings, and user account details, if a writable gadget is present.
The attacker can crash or destabilize the PHP runtime or web server process, taking the site offline.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-40756 is active across all connected registries and pipelines, flagging any image that packages Zoya at or below version 1.4. Because no upstream patch exists at this time, HarborGuard will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published by Mikado-Themes or confirmed by Patchstack. While the advisory remains open, customers are advised to use HarborGuard's network-policy controls to restrict public HTTP access to WordPress installations running the affected theme, and to review loaded plugins and themes for PHP classes that could form a gadget chain usable with unserialized input. HarborGuard re-evaluates the advisory on every ingest cycle so no manual follow-up is required to catch the patch when it arrives.

See how HarborGuard automates this

Affected packages

Mikado-Themes / Zoya
≤ 1.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified