How is CVE-2026-40761 exploited?

Network reachability (required): The vulnerable theme component is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or credentials of any kind are needed; the injection point is reachable by any unauthenticated request. Victim interaction (not-required): The attack is fully server-side and requires no action from an administrator or site visitor. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as the presence of a usable POP chain among installed plugins or themes to turn the injection into a meaningful exploit primitive.

What is the impact of CVE-2026-40761?

A successful attacker can read any data the web server process can access, including WordPress database credentials, stored user session tokens, and site configuration files. The attacker can modify persisted data such as database rows, stored content, or configuration options by invoking object methods that perform write operations. The attacker can crash or render the WordPress service unavailable by triggering destructors or methods that exhaust resources or fatally error the PHP runtime. Because all three impact dimensions are rated High, the combined effect of a working exploit is effectively full compromise of the affected WordPress installation.

Back to search

HIGHCVE-2026-40761Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-40761: WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability

Q: What is CVE-2026-40761?

PHP Object Injection is an unauthenticated vulnerability in the WordPress Valeska theme by Edge-Themes, affecting all versions up to and including 1.2.2. An attacker can reach it over the network without any credentials, though exploitation requires specific conditions such as a suitable POP chain to be present in the environment. Successful exploitation can result in full confidentiality loss, data tampering, and service disruption. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-40761 patched?

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard policy enforcement to flag or block deployment of affected images.

Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection is an unauthenticated vulnerability in the WordPress Valeska theme by Edge-Themes, affecting all versions up to and including 1.2.2. An attacker can reach it over the network without any credentials, though exploitation requires specific conditions such as a suitable POP chain to be present in the environment. Successful exploitation can result in full confidentiality loss, data tampering, and service disruption. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-40761 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering custom-built WordPress images alongside vendor-supplied ones. Any image carrying the Valeska theme at version 1.2.2 or earlier is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector, and per-environment compliance policy weighting can elevate or adjust priority based on each customer org's exposure profile. Triage findings are routed to the appropriate team inbox within each customer organization according to configured notification rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard policy enforcement to flag or block deployment of affected images.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme component is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or credentials of any kind are needed; the injection point is reachable by any unauthenticated request.
Victim interactionNot required
The attack is fully server-side and requires no action from an administrator or site visitor.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for environmental factors such as the presence of a usable POP chain among installed plugins or themes to turn the injection into a meaningful exploit primitive.

Blast Radius

A successful attacker can read any data the web server process can access, including WordPress database credentials, stored user session tokens, and site configuration files.
The attacker can modify persisted data such as database rows, stored content, or configuration options by invoking object methods that perform write operations.
The attacker can crash or render the WordPress service unavailable by triggering destructors or methods that exhaust resources or fatally error the PHP runtime.
Because all three impact dimensions are rated High, the combined effect of a working exploit is effectively full compromise of the affected WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-40761 is flagged on any image containing the Valeska theme at version 1.2.2 or earlier, with severity weighted at 8.1 HIGH. Because no upstream patch exists, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Edge-Themes publishes a fix. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, typically within minutes of upstream publication for HIGH-severity issues. While awaiting a fix, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation, egress filtering to limit what a compromised PHP process can reach, and runtime policies that block deployment of images carrying the affected theme version into production namespaces. Where compliance policy permits, HarborGuard can enforce a block-on-deploy rule for the affected version range until a clean rebuild is available.

See how HarborGuard automates this

Affected packages

Edge-Themes / Valeska
≤ 1.2.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified