Skip to main content

Laurits Theme CVE-2026-40736

| EUVD-2026-37485 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Laurits
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated injection (AV:N/PR:N/UI:N) with AC:H for required gadget-chain discovery; successful deserialization to RCE yields full C/I/A impact on the WordPress host.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:33 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.

AnalysisAI

Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Fingerprint WordPress site running Laurits ≤1.5.1
Delivery
Enumerate installed plugins for POP gadgets
Exploit
Craft serialized PHP object payload
Install
Send unauthenticated HTTP request to vulnerable endpoint
C2
Trigger unserialize and gadget chain
Execute
Execute arbitrary code as web user
Impact
Establish persistence via malicious plugin or admin user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target WordPress site has the Laurits theme by Edge-Themes installed and active at version 1.5.1 or earlier, and that the attacker can reach the vulnerable theme endpoint over HTTP/HTTPS (typical for public WordPress sites). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N with C:H/I:H/A:H accurately reflects an unauthenticated remote injection with high attack complexity - the AC:H signal almost certainly captures the need for a viable gadget chain in the loaded codebase, which depends on which plugins and core version are installed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a serialized PHP payload that, when unserialized, traverses a magic-method gadget chain present in the target's WordPress install and sends it to a vulnerable Laurits endpoint (typically an unauthenticated admin-ajax.php action or theme front-end handler) via a single HTTP request. The AC:H rating reflects that the attacker first fingerprints the site's plugin stack to select a chain that lands at a useful sink such as file write or eval; once tuned, the request yields code execution as the web user with no authentication required. …
Remediation No vendor-released patch identified at time of analysis from the provided data; consult the Patchstack advisory at https://patchstack.com/database/wordpress/theme/laurits/vulnerability/wordpress-laurits-theme-1-5-1-php-object-injection-vulnerability for the fixed version and upgrade Laurits to that release as soon as Edge-Themes publishes it. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Laurits theme versions ≤1.5.1 and immediately deactivate the theme in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40736 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy