How is CVE-2026-40757 exploited?

Network reachability (required): The attacker must reach the WordPress site over the network; the vulnerable deserialization endpoint is exposed via standard HTTP. Authentication (not-required): No account or session credentials are needed; the injection can be triggered by an unauthenticated request. Victim interaction (not-required): No victim action is required; the attacker sends a crafted request directly to the application without any user involvement. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not condition-free; success depends on the presence of a usable PHP gadget chain within the application's loaded class context, which may require environmental enumeration.

What is the impact of CVE-2026-40757?

Reads arbitrary files and sensitive data from the server, including WordPress configuration files containing database credentials. Writes or modifies files on the server file system, enabling webshell placement or theme/plugin file tampering. Executes arbitrary server-side code if a suitable gadget chain is available in the loaded PHP class context. Crashes or disrupts the WordPress application, causing denial of service for site visitors and administrators.

Back to search

HIGHCVE-2026-40757Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-40757: WordPress Château theme <= 1.2.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-40757?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing arbitrary objects to be instantiated and their methods invoked. This vulnerability in the Château WordPress theme (versions 1.2.1 and earlier) is reachable over the network and requires no authentication. Successful exploitation gives an attacker full read, write, and disruption capabilities against the affected system, though the actual impact depends on what PHP classes (called gadget chains) are available in the application's environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-40757 patched?

No upstream fix version has been published for CVE-2026-40757. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Mikado-Themes publishes a remediated release.

Unauthenticated PHP Object Injection in Château <= 1.2.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, allowing arbitrary objects to be instantiated and their methods invoked. This vulnerability in the Château WordPress theme (versions 1.2.1 and earlier) is reachable over the network and requires no authentication. Successful exploitation gives an attacker full read, write, and disruption capabilities against the affected system, though the actual impact depends on what PHP classes (called gadget chains) are available in the application's environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-40757 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, including custom-built images that bundle the Château theme. Coverage applies to images in connected registries and active CI/CD pipelines.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and applying per-environment compliance policy weighting to adjust priority where organizational risk thresholds differ. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No upstream fix version has been published for CVE-2026-40757. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Mikado-Themes publishes a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerable deserialization endpoint is exposed via standard HTTP.
AuthenticationNot required
No account or session credentials are needed; the injection can be triggered by an unauthenticated request.
Victim interactionNot required
No victim action is required; the attacker sends a crafted request directly to the application without any user involvement.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not condition-free; success depends on the presence of a usable PHP gadget chain within the application's loaded class context, which may require environmental enumeration.

Blast Radius

Reads arbitrary files and sensitive data from the server, including WordPress configuration files containing database credentials.
Writes or modifies files on the server file system, enabling webshell placement or theme/plugin file tampering.
Executes arbitrary server-side code if a suitable gadget chain is available in the loaded PHP class context.
Crashes or disrupts the WordPress application, causing denial of service for site visitors and administrators.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40757 is active across connected registries and pipelines, matching any image that bundles the Château WordPress theme at version 1.2.1 or earlier. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once Mikado-Themes releases a remediated version. In the interim, customers can apply compensating controls through HarborGuard network policy recommendations: isolating the affected container from unnecessary external egress, restricting inbound HTTP access to trusted origins via network policy, and disabling or removing the Château theme from images where it is not actively required. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention the moment a fix version becomes available.

See how HarborGuard automates this

Affected packages

Mikado-Themes / Château
≤ 1.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified