Description
Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ashtanga theme for WordPress, versions 1.2 and earlier, contains an unauthenticated PHP Object Injection flaw. An attacker can supply a crafted serialized payload to the theme’s processing logic, triggering the unserialize function on untrusted data. This leads to potential remote code execution or other destructive actions, as the injected object can execute arbitrary PHP code. The weakness is catalogued as CWE‑502 (Deserialization of Untrusted Data).

Affected Systems

All WordPress sites that have deployed Mikado Themes’ Ashtanga theme version 1.2 or older are affected. Sites using version 1.3 or later are considered fixed.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is less than 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, a remote attacker can trigger it over the network, potentially achieving full code execution on the web server or compromising site data. Exploitation requires sending a crafted serialized PHP object to the theme’s processing entry point, which is feasible with standard HTTP requests.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Remediation

Vendor Solution

Update the WordPress Ashtanga Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Update the WordPress Ashtanga Theme to version 1.3 or later.
  • If an update is not possible, delete the Ashtanga theme and replace it with a secure alternative.
  • Implement server‑side input validation or a firewall rule to block malformed serialized PHP objects that could trigger deserialization attacks.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes ashtanga
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes ashtanga
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Title WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Ashtanga
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:38:45.728Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40751

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:39.522Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:02Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data