Skip to main content

Behold WordPress Theme CVE-2026-40760

| EUVD-2026-37492 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Behold
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Unauthenticated network-reachable deserialization (AV:N/PR:N/UI:N); AC:H because exploitation depends on a usable gadget chain in the runtime; full CIA impact via arbitrary code execution.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:29 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Behold <= 1.5 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify site running Behold ≤1.5
Delivery
Build serialized PHP payload with gadget chain
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Install
unserialize() instantiates attacker objects
C2
Magic methods trigger gadget chain
Execute
Write webshell or create admin user
Impact
Persistent site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target WordPress site to have the Behold theme (edge-themes, version ≤1.5) installed and active, and to expose the vulnerable input vector to network requests (CVSS AV:N, PR:N, UI:N - no authentication, no user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects a network-reachable, unauthenticated vulnerability with high impact across the CIA triad, tempered by AC:H - typically because exploitation requires a usable POP (Property-Oriented Programming) gadget chain in the runtime, which is environment-dependent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the Behold theme ≤1.5 and crafts a serialized PHP payload that references a known gadget chain available in the site's loaded code (WordPress core, plugins, or dependencies). The payload is submitted to the vulnerable input vector reachable over HTTP/HTTPS without authentication; when the theme calls unserialize() on the input, the gadget chain executes, leading to arbitrary file write, code execution, or database manipulation that lets the attacker plant a webshell or create an administrator account.
Remediation No vendor-released patch identified at time of analysis from the provided data - the Patchstack advisory at https://patchstack.com/database/wordpress/theme/behold/vulnerability/wordpress-behold-theme-1-5-php-object-injection-vulnerability should be checked for an updated fixed version beyond 1.5. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all WordPress installations and identify active deployments of Behold theme ≤v1.5; assess business criticality and prioritize remediation for customer-facing systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-40760 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy