ShiftUp WordPress Theme
CVE-2026-40733
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable unauthenticated WordPress theme endpoint (AV:N/PR:N/UI:N); AC:H because reliable RCE needs a working POP gadget chain in the loaded class set; full CIA impact via object injection.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.
AnalysisAI
Unauthenticated PHP object injection in the Mikado Themes ShiftUp WordPress theme (versions ≤ 1.3) allows remote attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, potentially triggering gadget chains that can lead to remote code execution, data tampering, or site takeover. CVSS is rated 8.1 with high attack complexity but no privileges or user interaction required, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Target site must be running the Mikado-Themes ShiftUp theme at version 1.3 or earlier and must expose the vulnerable theme endpoint to the network (default for any public WordPress install). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward prioritized patching for sites running this theme. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a public endpoint exposed by the ShiftUp theme, embedding a serialized PHP object payload in a parameter that is fed into unserialize(). When PHP rehydrates the object, magic methods on classes loaded by WordPress core or other installed plugins fire as part of a gadget chain, leading to arbitrary file write or code execution under the web server user. … |
| Remediation | Upstream fix status from the supplied data is unclear - Patchstack lists versions ≤ 1.3 as vulnerable but no fixed version is named, so treat this as 'No vendor-released patch identified at time of analysis' pending confirmation from Mikado-Themes; check the Patchstack advisory (https://patchstack.com/database/wordpress/theme/shiftup/vulnerability/wordpress-shiftup-theme-1-3-php-object-injection-vulnerability) and the ThemeForest/Mikado-Themes vendor page for a release after 1.3 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for ShiftUp theme ≤1.3; request patch timeline from Mikado Themes; deploy Web Application Firewall rules to block PHP serialization payloads. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today