CVE-2026-40738
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Eldon

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40738
EUVD
EUVD-2026-37694
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
eldon eldon 1.4.1
patchstack eldon to 1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40738 is a high-priority PHP Object Injection vulnerability found in the WordPress Eldon Theme versions 1.4.1 and below.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects, potentially leading to code execution, SQL injection, path traversal, denial of service, and other harmful actions if a suitable POP (Property Oriented Programming) chain exists.

It is classified under OWASP Top 10 A3: Injection and is considered highly dangerous due to its potential for widespread exploitation.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which may allow attackers to take control of your website.

It can also lead to SQL injection, enabling attackers to manipulate or steal data from your database.

Other impacts include path traversal attacks, denial of service conditions, and potentially other malicious activities.

Since the vulnerability requires no authentication, it can be exploited remotely by anyone, increasing the risk of mass exploitation across many websites using the vulnerable theme.

Detection Guidance

The vulnerability affects WordPress Eldon Theme versions 1.4.1 and below and allows unauthenticated PHP Object Injection. Detection involves identifying if the vulnerable theme version is in use on your system.

Since the vulnerability is related to a specific theme version, you can check the installed version of the Eldon theme on your WordPress site.

  • Use WP-CLI to check the theme version: wp theme list --status=active
  • Manually check the version in the theme's style.css file located in wp-content/themes/eldon/

Network detection of exploitation attempts may require monitoring for suspicious HTTP requests targeting the Eldon theme endpoints, but no specific commands or signatures are provided.

Mitigation Strategies

Immediate mitigation steps include updating the Eldon theme to version 1.5 or later, which contains the patch for this vulnerability.

Until the update can be applied, it is advised to apply mitigation measures through Patchstack to block attacks targeting this vulnerability.

Because the vulnerability requires no authentication and is highly exploitable, prompt action is critical to prevent code injection, SQL injection, path traversal, denial of service, and other malicious activities.

Compliance Impact

The vulnerability in the WordPress Eldon Theme (versions 1.4.1 and below) allows unauthenticated PHP Object Injection, which can lead to code execution, SQL injection, path traversal, and denial of service attacks.

Such security issues can result in unauthorized access to sensitive data or disruption of services, potentially causing non-compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Failure to address this vulnerability could lead to data breaches or service outages, which are reportable incidents under these regulations and may result in legal and financial penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40738. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart