CVE-2026-40760
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in Behold

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40760
EUVD
EUVD-2026-37492
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
behold behold to 1.5 (inc)
patchstack behold to 1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in the WordPress Behold Theme (versions 1.5 and below) allows unauthenticated PHP Object Injection, which can lead to code execution, SQL injection, path traversal, and denial of service attacks. Such exploitation could result in unauthorized access to sensitive data or disruption of services.

Because of the potential for unauthorized data access and system compromise, this vulnerability could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Organizations using the affected versions should update to the patched version 1.6 immediately to mitigate these risks and maintain compliance with relevant security requirements.

Executive Summary

CVE-2026-40760 is a high-priority PHP Object Injection vulnerability found in the WordPress Behold Theme versions 1.5 and below. This flaw allows attackers to inject malicious PHP objects without needing to be authenticated, meaning they do not require prior access to the system.

Exploitation of this vulnerability can lead to various attacks such as code injection, SQL injection, path traversal, denial of service, and other malicious activities if a suitable Property-Oriented Programming (POP) chain exists.

The vulnerability is classified under the OWASP Top 10 category A3: Injection and has a CVSS severity score of 8.1, indicating a high risk.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and service disruption through denial of service attacks.

Because the vulnerability is unauthenticated, attackers can exploit it remotely without any prior access, increasing the risk of mass exploitation campaigns targeting thousands of websites using the vulnerable theme.

If exploited, it could compromise the confidentiality, integrity, and availability of your website and its data.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Behold Theme to version 1.6 or later, as this version contains the patch for the PHP Object Injection flaw.

Until the update can be applied, it is advised to implement the temporary mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart