Description
Unauthenticated PHP Object Injection in Reina <= 2.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw that allows an unauthenticated attacker to deserialize arbitrary PHP objects, potentially enabling remote code execution. The flaw is classified as CWE‑502 and may compromise confidentiality, integrity, and availability of the affected system if exploited. Because the vulnerability is unrelated to authentication, any user who can access the vulnerable WordPress site may submit crafted requests to trigger the flaw.

Affected Systems

The issue affects installations of the Edge‑Themes Reina WordPress theme version 2.1 or earlier. Users running any of these theme versions should verify their currently installed version and be aware that the vulnerability exists in all releases up to 2.1 inclusive.

Risk and Exploitability

The vulnerability scores a CVSS of 8.1, indicating high severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, yet the absence of these metrics does not diminish the inherent risk of an unauthenticated flaw that can lead to remote code execution. The CVE description indicates that the flaw is a PHP Object Injection that can be triggered by an unauthenticated attacker, but it does not disclose specific entry points; therefore, any component of the Reina theme that processes serialized data is a potential exploitation vector. Because the flaw does not require authentication, sites that expose the vulnerable theme to the public are at risk of compromise.

Generated by OpenCVE AI on June 18, 2026 at 14:04 UTC.

Remediation

Vendor Solution

Update the WordPress Reina Theme to the latest available version (at least 2.2).


OpenCVE Recommended Actions

  • Upgrade the WordPress Reina Theme to version 2.2 or later as provided by the vendor.
  • Delete or rename any residual files from older Reina Theme versions that may still be present on the server.
  • Review custom theme or plugin code that uses PHP serialization functions and restrict or sanitize input to prevent future deserialization attacks.

Generated by OpenCVE AI on June 18, 2026 at 14:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes reina
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes reina
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Reina <= 2.1 versions.
Title WordPress Reina theme <= 2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Reina
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:31.988Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40735

cve-icon Vulnrichment

Updated: 2026-06-17T15:28:25.273Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:59Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data