Description
Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in the LuxeDrive theme up to version 1.4 enables attackers to insert crafted serialized data that becomes parsed by the theme, potentially allowing arbitrary code execution or other malicious actions that compromise the WordPress installation’s confidentiality, integrity, or availability. The weakness corresponds to CWE‑502, indicating deserialization of untrusted data without adequate validation.

Affected Systems

Mikado‑Themes’ WordPress LuxeDrive theme versions 1.4 and earlier. Any WordPress site that has not upgraded beyond version 1.4 is susceptible.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is rated high severity. The EPSS score is below 1 %, suggesting that, while the technical risk is significant, the probability that attackers will exploit this flaw in the wild is low at present. The issue is not listed in CISA’s KEV catalog. Because the attack does not require authentication, the likely attack vector is an unauthenticated HTTP request carrying a maliciously crafted serialized payload, which the theme processes during routine operations.

Generated by OpenCVE AI on June 17, 2026 at 18:16 UTC.

Remediation

Vendor Solution

Update the WordPress LuxeDrive Theme to the latest available version (at least 1.5).


OpenCVE Recommended Actions

  • Update the LuxeDrive theme to version 1.5 or later, which removes the vulnerable deserialization logic.
  • Audit any custom theme code to eliminate the use of PHP’s unserialize() or other deserialization routines on data that could be supplied by untrusted users.
  • Restrict or secure any endpoints that accept serialized data by validating the source and structure before deserialization.

Generated by OpenCVE AI on June 17, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes luxedrive
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes luxedrive
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Title WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Luxedrive
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:38:59.221Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40739

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:54.625Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:30:04Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data