Skip to main content

Zoya WordPress Theme CVE-2026-40756

HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-17 Patchstack
PHP Deserialization Zoya
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable WordPress theme endpoint with no auth or user interaction; AC:H because practical RCE requires a usable POP gadget chain; full CIA impact via deserialization-to-RCE.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 14:30 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Zoya <= 1.4 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Mikado-Themes Zoya WordPress theme versions 1.4 and earlier allows remote attackers to inject crafted serialized objects that are deserialized by the application. Successful exploitation can lead to arbitrary code execution, data tampering, or denial of service depending on the gadget chains present in WordPress core, plugins, or other themes loaded on the site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Zoya ≤1.4
Delivery
Enumerate plugins for usable POP gadgets
Exploit
Craft serialized PHP object payload
Install
Submit payload to vulnerable theme endpoint
C2
Trigger unserialize() and magic methods
Execute
Execute gadget chain for RCE or file write
Impact
Establish webshell persistence
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the Mikado-Themes Zoya theme at version 1.4 or earlier installed and activated on a public WordPress site, (2) network reachability to the vulnerable theme endpoint that calls PHP unserialize() on attacker-supplied input, and (3) the presence of a usable POP gadget chain in WordPress core or in another installed plugin/theme on the same site - this last requirement is what drives the CVSS AC:H rating, since pure unserialize() without a chain produces only object instantiation, not code execution. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.1) signals a network-reachable, unauthenticated flaw with full CIA impact, but the AC:H qualifier indicates that practical exploitation depends on conditions outside the attacker's direct control - typically the presence of a usable gadget chain on the target site. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a public Zoya endpoint that passes attacker-controlled data into unserialize(), embedding a serialized object that triggers a POP gadget chain available on the target site (for example, a Monolog or Guzzle class bundled with another plugin). When PHP deserializes the payload, magic methods fire and the gadget chain writes a webshell, executes a command, or exfiltrates options from wp_options. …
Remediation No vendor-released patch identified at time of analysis; the Patchstack advisory (https://patchstack.com/database/wordpress/theme/zoya/vulnerability/wordpress-zoya-theme-1-4-php-object-injection-vulnerability) should be monitored for an updated Zoya release above 1.4 and the theme upgraded as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all WordPress installations using Zoya theme v1.4 or earlier; document version inventory and site criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40756 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy