Description
Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw present in Eldon theme versions up to 1.4.1. This weakness allows an attacker to craft a malicious serialized PHP object that is processed by the theme without proper validation, potentially leading to arbitrary code execution, data tampering, or other destructive actions. The flaw is classified as CWE‑502, indicating insecure deserialization.

Affected Systems

The affected product is the WordPress Eldon theme supplied by Edge‑Themes. All releases up to and including version 1.4.1 are vulnerable. Versions 1.5 and later contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the current EPSS score is unavailable, suggesting no publicly known exploitation data yet, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an unauthenticated web request where the attacker supplies a serialized PHP payload, which the theme processes without validation. Successful exploitation would provide the attacker with unrestricted control over the WordPress site, enabling remote code execution and full compromise of site data and services.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Remediation

Vendor Solution

Update the WordPress Eldon Theme to the latest available version (at least 1.5).


OpenCVE Recommended Actions

  • Update the WordPress Eldon Theme to version 1.5 or later.
  • If an immediate update is not possible, restrict or disable any endpoints or form fields that accept serialized PHP data— for example, block file upload or REST API routes used by the theme.
  • As a temporary measure, add server‑side validation to reject or sanitize user‑supplied data that could contain serialized objects, mitigating the object injection vector until the theme update is applied.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes eldon
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes eldon
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions.
Title WordPress Eldon theme <= 1.4.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Eldon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:37:23.551Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40738

cve-icon Vulnrichment

Updated: 2026-06-17T15:37:18.449Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:45Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data