Skip to main content

Esmée Theme CVE-2026-40759

| EUVD-2026-37491 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Esm E
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable unauthenticated deserialization with no user interaction; AC:H reflects required PHP gadget chain; full CIA impact via RCE on the WordPress host.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:29 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.

AnalysisAI

Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running Esmée ≤ 1.4
Delivery
Fingerprint installed plugins for gadgets
Exploit
Craft serialized PHP object payload
Install
Send HTTP request to deserialization sink
C2
Trigger magic methods via unserialize()
Execute
Execute gadget chain for code execution
Impact
Persist as webshell and pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running the Mikado-Themes 'Esmée' WordPress theme at version 1.4 or earlier with a network-reachable endpoint that deserializes attacker-controlled input via PHP unserialize(); no WordPress authentication is required (PR:N) and no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:H/PR:N/UI:N/C:H/I:H/A:H indicates a remotely reachable, unauthenticated sink with full CIA impact, but the High attack complexity flag signals that successful exploitation depends on conditions outside the attacker's direct control - almost certainly the presence of a usable PHP gadget chain in the victim environment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP request to a public Esmée theme endpoint with a crafted serialized PHP object in a parameter, cookie, or form field that the theme passes to unserialize(). When PHP instantiates the object, a gadget chain assembled from WordPress core or other installed components fires via magic methods, leading to arbitrary file write or code execution and full site compromise. …
Remediation No vendor-released patch identified at time of analysis: the advisory only specifies affected versions ≤ 1.4 with no fixed version listed in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running 'Esmée' theme versions 1.4 and earlier; restrict public access to affected sites if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40759 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy