Skip to main content

Ashtanga WordPress Theme EUVD-2026-37487

| CVE-2026-40751 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-16 Patchstack
PHP Deserialization Ashtanga
8.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Network-reachable and unauthenticated (AV:N/PR:N/UI:N); AC:H because successful RCE depends on a reachable POP gadget chain in the target's plugin/theme stack; full C/I/A impact once chained.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:32 vuln.today

DescriptionCVE.org

Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.

AnalysisAI

Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Ashtanga ≤ 1.2
Delivery
Craft serialized PHP payload with POP gadget chain
Exploit
Send unauthenticated HTTP request to vulnerable endpoint
Execution
Theme deserializes attacker-controlled object
Persist
Gadget chain triggers code execution or file write
Impact
Drop webshell and achieve full site takeover
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that (1) the target WordPress site has the Mikado-Themes Ashtanga theme version ≤ 1.2 installed and active, (2) the attacker can reach the vulnerable HTTP endpoint over the network (no authentication or user interaction required, per PR:N/UI:N), and (3) a usable POP gadget chain exists within the loaded WordPress core, plugins, or other themes on that specific site - this last requirement is reflected in CVSS AC:H and is the principal limiting factor, since PHP object injection on its own is harmless without a reachable gadget. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a WordPress site running the Ashtanga theme, crafts a serialized PHP payload that triggers a known POP gadget chain in WordPress core or a co-installed plugin (e.g., via a public PHPGGC chain), and submits it to the vulnerable Ashtanga parameter over HTTP without authentication. On deserialization, the chained magic methods execute, leading to file writes (webshell drop) or arbitrary code execution under the web server's user, resulting in full site takeover.
Remediation No vendor-released patch identified at time of analysis in the provided data - administrators should monitor Mikado-Themes and the Patchstack advisory at https://patchstack.com/database/wordpress/theme/ashtanga/vulnerability/wordpress-ashtanga-theme-1-2-php-object-injection-vulnerability for a fixed release beyond 1.2 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Conduct inventory of all WordPress installations using Ashtanga theme version 1.2 or earlier; isolate identified systems from public-facing traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-37487 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy