Description
Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated PHP Object Injection flaw in the WordPress TechLink theme versions 1.3 and earlier. By exploiting this weakness, an attacker can craft input that causes the vulnerable code to instantiate arbitrary PHP objects, potentially leading to the execution of arbitrary code or privilege escalation on the affected WordPress installation. The weakness maps to CWE-502 and the associated CVSS score of 8.1 indicates a high severity impact on confidentiality, integrity, and availability.

Affected Systems

The affected vendor is Mikado‑Themes with the TechLink theme. All releases up to and including version 1.3 are impacted. Affected installations must check the theme version and upgrade if necessary.

Risk and Exploitability

The exploit probability is very low as reflected by an EPSS score of less than 1%. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated web request that supplies a crafted payload to a vulnerable endpoint. Given the high CVSS score, if an attacker succeeds, they could gain complete control over the WordPress site.

Generated by OpenCVE AI on June 17, 2026 at 20:34 UTC.

Remediation

Vendor Solution

Update the WordPress TechLink Theme to the latest available version (at least 1.4).


OpenCVE Recommended Actions

  • Upgrade the WordPress TechLink theme to version 1.4 or newer
  • Configure a web application firewall to block suspicious object injection patterns
  • Add input validation to reject or sanitize any data that could be deserialized into PHP objects

Generated by OpenCVE AI on June 17, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes techlink
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes techlink
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Title WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Techlink
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:38:16.090Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40755

cve-icon Vulnrichment

Updated: 2026-06-17T10:38:09.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:43Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data