Skip to main content

LuxeDrive Theme CVE-2026-40739

| EUVD-2026-37486 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Luxedrive
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network deserialization (AV:N/PR:N/UI:N); AC:H because exploitation depends on a usable POP gadget chain; full C/I/A impact on the WordPress host.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:32 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.

AnalysisAI

Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running LuxeDrive ≤1.4
Delivery
Craft serialized PHP object with gadget chain
Exploit
Send unauthenticated HTTP request to vulnerable theme endpoint
Execution
Trigger unserialize() and magic method invocation
Persist
Execute code as web server user
Impact
Deploy webshell or exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires sending HTTP requests to a WordPress installation that has the Mikado-Themes LuxeDrive theme active at version 1.4 or earlier and that reaches the vulnerable unserialize() sink in the theme code; no WordPress user account or interaction is needed (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed: CVSS 3.1 is 8.1 (AV:N/AC:H/PR:N/UI:N) with High impact across confidentiality, integrity, and availability, reflecting that an unauthenticated network attacker who succeeds gains full compromise of the WordPress site, but AC:H acknowledges the dependency on a viable gadget chain and reachable injection sink. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running LuxeDrive ≤ 1.4 and sends an unauthenticated HTTP request to a theme endpoint or parameter that ends up in unserialize(), supplying a crafted serialized object that triggers a POP gadget chain present in WordPress core or another installed plugin. The chain executes during deserialization to write a PHP webshell into the uploads directory or invoke wp_remote_post for further actions, giving the attacker code execution as the web server user; no public exploit is identified at time of analysis, so weaponization would require gadget-chain development against the specific site's plugin stack.
Remediation Upstream fix availability is not independently confirmed from the supplied data; the Patchstack entry should be consulted at https://patchstack.com/database/wordpress/theme/luxedrive/vulnerability/wordpress-luxedrive-theme-1-4-php-object-injection-vulnerability for the latest fixed-version guidance, and administrators should upgrade LuxeDrive to any vendor-released version above 1.4 once Mikado-Themes publishes a patched build. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all WordPress instances using Mikado-Themes LuxeDrive version 1.4 and below; disable the theme on all non-production sites; establish log monitoring for suspicious POST requests and PHP serialization patterns to theme directories. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40739 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy