How is CVE-2026-40760 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation. Authentication (not-required): No account or session credentials of any kind are needed to trigger the injection. Victim interaction (not-required): The attack is entirely server-side; no user action or social engineering is required. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as the presence of a usable POP chain (a sequence of existing PHP classes that can be weaponized) within the application.

What is the impact of CVE-2026-40760?

A successful attacker can read any file readable by the web server process, including WordPress configuration files that contain database credentials and secret keys. An attacker can write or modify files on the host, enabling persistent backdoor installation or defacement of site content. Arbitrary PHP code execution is achievable if a suitable POP chain exists, giving the attacker full operating-system-level command execution within the container. The web server process can be crashed or resource-exhausted, causing a denial of service for the hosted site.

Back to search

HIGHCVE-2026-40760Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40760: WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability

Q: What is CVE-2026-40760?

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Behold WordPress theme by Edge-Themes, versions 1.5 and below. The flaw is reachable over the network without any credentials, though exploitation requires meeting certain environmental conditions (such as a suitable POP chain being present). Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-40760 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Edge-Themes or Patchstack publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as the fix lands.

Unauthenticated PHP Object Injection in Behold <= 1.5 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated remote code execution class of vulnerability affecting the Behold WordPress theme by Edge-Themes, versions 1.5 and below. The flaw is reachable over the network without any credentials, though exploitation requires meeting certain environmental conditions (such as a suitable POP chain being present). Successful exploitation gives an attacker full control over confidentiality, integrity, and availability of the affected host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built WordPress images. Coverage extends to images that bundle the Behold theme directly, regardless of whether they originate from a public base or an internally maintained layer.

Available

Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.1 (HIGH) and applies per-environment compliance policy weighting to determine urgency before routing the finding to the appropriate team inbox within each customer organization. Teams running WordPress-based container workloads will see this finding prioritized in their queue given the unauthenticated attack path.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Edge-Themes or Patchstack publishes a remediated release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as the fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation.
AuthenticationNot required
No account or session credentials of any kind are needed to trigger the injection.
Victim interactionNot required
The attack is entirely server-side; no user action or social engineering is required.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as the presence of a usable POP chain (a sequence of existing PHP classes that can be weaponized) within the application.

Blast Radius

A successful attacker can read any file readable by the web server process, including WordPress configuration files that contain database credentials and secret keys.
An attacker can write or modify files on the host, enabling persistent backdoor installation or defacement of site content.
Arbitrary PHP code execution is achievable if a suitable POP chain exists, giving the attacker full operating-system-level command execution within the container.
The web server process can be crashed or resource-exhausted, causing a denial of service for the hosted site.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-40760, the platform monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. In the interim, customers are advised to use HarborGuard network-policy recommendations to restrict inbound HTTP access to Behold-themed WordPress containers to known-good sources, apply egress filtering to limit outbound connections from those containers (reducing the value of remote code execution), and consider feature-flag or WAF-level controls that block or sanitize the deserialization input path. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will activate without manual steps as soon as the upstream fix is available; for all others, a manual rebuild prompt will appear in the HarborGuard dashboard at that time.

See how HarborGuard automates this

Affected packages

Edge-Themes / Behold
≤ 1.5

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified