How is CVE-2026-40759 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location. Authentication (not-required): No account or session credentials are needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): Exploitation is entirely attacker-driven and does not require any action from a logged-in user or administrator. Attack complexity (info): Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as the presence of a suitable POP chain (a sequence of existing PHP classes) within the WordPress installation's loaded codebase.

What is the impact of CVE-2026-40759?

A successful attacker reads arbitrary files from the server, including WordPress configuration files containing database credentials and secret keys. A successful attacker writes or modifies files on the server, enabling persistent backdoor placement or defacement of site content. A successful attacker can crash or destabilize the PHP process or underlying service, causing denial of service for the hosted WordPress site. Where a suitable POP chain exists in loaded plugins or themes, the attacker executes arbitrary operating-system commands on the container host.

Back to search

HIGHCVE-2026-40759Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40759: WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability

Q: What is CVE-2026-40759?

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, tricking the application into instantiating arbitrary objects and executing unintended code paths. This vulnerability in the WordPress Esmée theme (versions 1.4 and earlier) is reachable over the network with no authentication required, and exploitation is subject to environmental conditions that affect reliability. Successful exploitation gives an attacker full read, write, and availability impact on the affected host. No fix has been published; HarborGuard tracks the upstream advisory for patch availability.

Q: Is CVE-2026-40759 patched?

Because no fix version has been published for Esmée, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation or flagging images bundling Esmée <= 1.4 as non-compliant for deployment.

Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is a class of vulnerability where attacker-controlled data is passed to PHP's unserialize() function, tricking the application into instantiating arbitrary objects and executing unintended code paths. This vulnerability in the WordPress Esmée theme (versions 1.4 and earlier) is reachable over the network with no authentication required, and exploitation is subject to environmental conditions that affect reliability. Successful exploitation gives an attacker full read, write, and availability impact on the affected host. No fix has been published; HarborGuard tracks the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-40759 is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images in connected registries and CI/CD pipelines. This matching covers custom-built images that bundle the Esmée theme alongside WordPress, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at 8.1 HIGH using its CVSS v3.1 vector and weighting the result against each customer environment's compliance policy to reflect local risk tolerance. Routed findings land in the inbox configured for the relevant team inside each customer organization.

Available

Patch

Because no fix version has been published for Esmée, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation or flagging images bundling Esmée <= 1.4 as non-compliant for deployment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP/HTTPS from a remote location.
AuthenticationNot required
No account or session credentials are needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
Exploitation is entirely attacker-driven and does not require any action from a logged-in user or administrator.
Attack complexityDetail
Attack complexity is rated High, meaning reliable exploitation depends on environmental factors such as the presence of a suitable POP chain (a sequence of existing PHP classes) within the WordPress installation's loaded codebase.

Blast Radius

A successful attacker reads arbitrary files from the server, including WordPress configuration files containing database credentials and secret keys.
A successful attacker writes or modifies files on the server, enabling persistent backdoor placement or defacement of site content.
A successful attacker can crash or destabilize the PHP process or underlying service, causing denial of service for the hosted WordPress site.
Where a suitable POP chain exists in loaded plugins or themes, the attacker executes arbitrary operating-system commands on the container host.

How HarborGuard Handles This

Available on HarborGuard: images that bundle the Esmée WordPress theme at version 1.4 or earlier are flagged as policy violations as soon as the CVE is matched during a scan cycle. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a remediated version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. While waiting for an upstream patch, recommended compensating controls include restricting public HTTP access to affected WordPress deployments via network policy, blocking deserialization inputs at the WAF or reverse-proxy layer if applicable, and marking images containing Esmée <= 1.4 as non-compliant in your HarborGuard compliance profile to prevent them from being promoted to production registries.

See how HarborGuard automates this

Affected packages

Mikado-Themes / Esmée
≤ 1.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified