Skip to main content

Reina WordPress Theme CVE-2026-40735

| EUVD-2026-37597 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Reina
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable unserialize() sink (AV:N/PR:N/UI:N); AC:H because reliable impact depends on a usable POP gadget chain; full C/I/A impact via arbitrary PHP execution.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:17 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Reina <= 2.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Reina ≤2.1 on target site
Delivery
Craft serialized PHP object payload with POP gadget
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Trigger unserialize() on attacker data
Persist
Gadget chain executes arbitrary PHP
Impact
Establish webshell or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to be running the Edge Themes Reina theme at version 2.1 or earlier and reachable over the network on the vulnerable endpoint that passes attacker-controlled input to PHP unserialize(); no authentication, user interaction, or local access is required (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates remote, unauthenticated exploitation with high impact across confidentiality, integrity, and availability, but with high attack complexity - typically reflecting the need for a viable gadget chain to be present in the target installation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to a Reina-powered WordPress site containing a serialized PHP object payload in a parameter the theme passes to unserialize(); when paired with a gadget chain from WordPress core or a co-installed plugin, the deserialization triggers method calls that achieve file write, SQL injection, or arbitrary code execution under the web server's user. No public exploit identified at time of analysis, but PHP object injection in WordPress themes is a well-understood class with public tooling (e.g., PHPGGC) that lowers the barrier for skilled attackers.
Remediation No vendor-released patch identified at time of analysis from the provided data; site operators should monitor Edge Themes' ThemeForest/changelog and the Patchstack advisory (https://patchstack.com/database/wordpress/theme/reina/vulnerability/wordpress-reina-theme-2-1-php-object-injection-vulnerability) for an updated Reina release above 2.1 and upgrade immediately when available. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Reina theme version 2.1 or earlier and immediately disable or remove the theme. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40735 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy