Skip to main content

Eldon WordPress Theme CVE-2026-40738

HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Eldon
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable WordPress theme endpoint, no auth or user interaction; AC:H reflects required POP gadget chain; successful unserialize-driven RCE compromises C/I/A fully within the PHP process scope.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:31 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Eldon WordPress theme (versions <= 1.4.1) by Edge-Themes allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution, data theft, or site compromise when a suitable POP gadget chain is present in the WordPress environment. No public exploit identified at time of analysis, and Patchstack rates this CVSS 8.1 (High) with high attack complexity reflecting the need for a usable gadget chain.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Eldon <= 1.4.1
Delivery
Craft serialized PHP payload targeting known POP gadget
Exploit
Submit payload to vulnerable theme endpoint
Execution
Trigger unserialize() and magic-method chain
Persist
Achieve arbitrary code execution or file write
Impact
Establish persistence via webshell or admin user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target site to be running the Eldon theme at version 1.4.1 or earlier with the vulnerable deserialization sink reachable over the network (no authentication, no user interaction per PR:N/UI:N), and additionally requires a usable PHP object injection (POP) gadget chain to be present in WordPress core, an active plugin, another theme, or a bundled library on the target - this gadget requirement is why CVSS attack complexity is High. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) frames this as a network-reachable, unauthenticated flaw with high impact on confidentiality, integrity, and availability, but with high attack complexity - consistent with PHP object injection requiring a working POP gadget chain present on the target site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted HTTP request to a public Eldon-powered WordPress page, supplying a serialized PHP payload to a parameter that the theme passes into unserialize(); PHP instantiates attacker-chosen objects, triggering magic methods that - combined with a POP gadget present in WordPress core or another installed plugin - culminate in arbitrary file write or code execution. The high CVSS attack complexity reflects that the attacker must identify a viable gadget chain on the target deployment, but no user interaction or credentials are required.
Remediation Upgrade Eldon to a version greater than 1.4.1 once Edge-Themes publishes a fixed release; the Patchstack advisory at https://patchstack.com/database/wordpress/theme/eldon/vulnerability/wordpress-eldon-theme-1-4-1-php-object-injection-vulnerability should be monitored for the exact patched version, as no vendor-released patch version is independently confirmed in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances using Eldon theme version 1.4.1 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40738 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy