How is CVE-2026-40758 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet or any routable path to the WordPress installation without needing internal access. Authentication (not-required): No account or session credential is needed; the attacker can trigger unserialization as an anonymous, unauthenticated HTTP request. Victim interaction (not-required): Exploitation is fully server-side and does not require any action from an administrator or other user of the site. Attack complexity (info): Exploitation is rated High complexity, meaning success depends on environmental factors such as the availability of a suitable POP chain among the PHP classes loaded by the application, which may require reconnaissance or specific plugin combinations.

What is the impact of CVE-2026-40758?

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys. Modifies or deletes database rows and stored content if the POP chain supports write operations. Crashes the PHP process or the web server worker handling the request, causing service disruption for site visitors. In environments where a full POP chain is available, executes arbitrary operating system commands as the web server user, giving the attacker a persistent foothold on the host.

Back to search

HIGHCVE-2026-40758Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40758: WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability

Q: What is CVE-2026-40758?

PHP Object Injection is a vulnerability in the Léonie WordPress theme (versions 1.2.1 and earlier) where attacker-controlled input is passed to PHP's unserialization routines without validation. The flaw is reachable over the network and requires no authentication, though successful exploitation depends on environmental conditions such as the presence of a suitable PHP property-oriented programming (POP) chain in the loaded codebase. When exploited, an attacker gains the ability to read sensitive data, tamper with stored content, or crash the affected service, and in many environments a full remote code execution primitive is achievable. No upstream fix has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

Q: Is CVE-2026-40758 patched?

Because no fix version has been published by the vendor, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is shipped. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for pods running the affected image and egress filtering to limit the blast radius of a successful exploit.

Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a vulnerability in the Léonie WordPress theme (versions 1.2.1 and earlier) where attacker-controlled input is passed to PHP's unserialization routines without validation. The flaw is reachable over the network and requires no authentication, though successful exploitation depends on environmental conditions such as the presence of a suitable PHP property-oriented programming (POP) chain in the loaded codebase. When exploited, an attacker gains the ability to read sensitive data, tamper with stored content, or crash the affected service, and in many environments a full remote code execution primitive is achievable. No upstream fix has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-40758 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the Léonie theme. Coverage extends to any image layer where the affected theme files are present, regardless of whether the image is based on an official upstream base.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer org based on configured ownership rules, so the right engineers see the alert without manual triage.

Available

Patch

Because no fix version has been published by the vendor, HarborGuard re-checks the Patchstack advisory and upstream package feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is shipped. In the interim, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for pods running the affected image and egress filtering to limit the blast radius of a successful exploit.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker can reach it from the internet or any routable path to the WordPress installation without needing internal access.
AuthenticationNot required
No account or session credential is needed; the attacker can trigger unserialization as an anonymous, unauthenticated HTTP request.
Victim interactionNot required
Exploitation is fully server-side and does not require any action from an administrator or other user of the site.
Attack complexityDetail
Exploitation is rated High complexity, meaning success depends on environmental factors such as the availability of a suitable POP chain among the PHP classes loaded by the application, which may require reconnaissance or specific plugin combinations.

Blast Radius

Reads arbitrary files on the server, including WordPress configuration files that contain database credentials and secret keys.
Modifies or deletes database rows and stored content if the POP chain supports write operations.
Crashes the PHP process or the web server worker handling the request, causing service disruption for site visitors.
In environments where a full POP chain is available, executes arbitrary operating system commands as the web server user, giving the attacker a persistent foothold on the host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40758 as of the publication date, the platform monitors the Patchstack advisory and all relevant upstream feeds on every ingest cycle. The moment the Elated-Themes vendor ships a fix, HarborGuard will make a patched-image rebuild available, and customers with auto-remediation enabled will receive an automatic rebuild, regression-test run, and a pull request opened against affected workloads without manual intervention. While no fix is available, customers are encouraged to use HarborGuard's network-policy controls to isolate pods running the Léonie theme from unnecessary inbound routes, apply egress filtering to limit post-exploitation reach, and consider disabling the theme on externally-exposed WordPress instances until a patch is confirmed. All affected images flagged by the scanner are surfaced in the findings dashboard with CVSS 8.1 HIGH severity, and compliance-policy routing ensures the owning team is notified directly.

See how HarborGuard automates this

Affected packages

Elated-Themes / Léonie
≤ 1.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified