CVE-2026-40735
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Reina

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Reina <= 2.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40735
EUVD
EUVD-2026-37597
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
patchstack reina to 2.1 (exc)
patchstack reina 2.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated PHP Object Injection which can lead to code execution, SQL injection, path traversal, or denial of service. Such security risks can result in unauthorized access to sensitive data or disruption of services.

Exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of data, potentially causing non-compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

Therefore, failure to patch or mitigate this vulnerability may lead to violations of these regulations due to data breaches or service interruptions.

Executive Summary

CVE-2026-40735 is a high-priority unauthenticated PHP Object Injection vulnerability found in WordPress Reina Theme versions 2.1 and below.

This flaw allows attackers to inject malicious PHP objects, potentially leading to code execution, SQL injection, path traversal, or denial of service attacks if a suitable POP (Property Oriented Programming) chain exists.

Because it is unauthenticated, attackers do not need to be logged in to exploit this vulnerability, making it particularly dangerous.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which may allow attackers to take control of your website.

It can also lead to SQL injection, enabling attackers to manipulate or steal data from your database.

Path traversal attacks could allow attackers to access sensitive files on the server.

Additionally, it can cause denial of service, making your website unavailable to legitimate users.

Since the vulnerability is unauthenticated and can be exploited remotely, it poses a significant risk especially in mass attack campaigns targeting many websites.

Detection Guidance

The vulnerability affects WordPress Reina Theme versions 2.1 and below and is an unauthenticated PHP Object Injection flaw. Detection can involve monitoring for attack patterns targeting this vulnerability.

Patchstack has provided a mitigation rule to block attacks until the update is applied, which implies that IDS/IPS or WAF rules can be used to detect or block exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Reina Theme to version 2.2 or later, where the vulnerability has been patched.

Until the update can be applied, it is recommended to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40735. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart