Description
Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a PHP Object Injection flaw classified as CWE-502. An attacker can supply specially crafted input that is unserialized by the ShiftUp theme, allowing the creation of arbitrary PHP objects. Exploitation can lead to malicious code execution, compromising confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

The affected product is the Mikado‑Themes ShiftUp WordPress theme, specifically all releases up to and including version 1.3. Any site using these versions with the theme installed is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. The flaw is unauthenticated and can be triggered via exposed web interfaces, so attackers with internet access to the site can initiate exploitation without special privileges. The primary attack vector is therefore over the network, through the theme’s handling of user-supplied data.

Generated by OpenCVE AI on June 18, 2026 at 14:30 UTC.

Remediation

Vendor Solution

Update the WordPress ShiftUp Theme to the latest available version (at least 1.4).


OpenCVE Recommended Actions

  • Update ShiftUp Theme to version 1.4 or later, as supplied by the vendor.
  • Deploy a security policy to block remote PHP unserialize calls, for example by enabling ModSecurity or similar rules that detect and prevent malicious object injection payloads.
  • Supplement patching by ensuring that any PHP unserialization functions are only used with trusted data, and audit custom theme code for unserialize usage.

Generated by OpenCVE AI on June 18, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes shiftup
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes shiftup
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions.
Title WordPress ShiftUp theme <= 1.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Shiftup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:45:23.630Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40733

cve-icon Vulnrichment

Updated: 2026-06-17T14:45:19.620Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:20Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data