Description
Unauthenticated PHP Object Injection in Château <= 1.2.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated PHP Object Injection flaw that allows an attacker to instantiate arbitrary PHP objects through serialized data processing. The flaw enables execution of arbitrary code within the context of the WordPress site, which can lead to full compromise of site integrity and confidentiality.

Affected Systems

The Mikado-Themes Château theme versions 1.2.1 and earlier are affected by this weakness. Any WordPress installation using these versions is vulnerable until the theme is upgraded.

Risk and Exploitability

The assigned CVSS score of 8.1 indicates high severity. EPSS data are not available, and the issue is not listed in CISA KEV. The vulnerability can be exploited remotely without authentication, likely by sending crafted serialized input through a vulnerable endpoint or form field. Successful exploitation can result in arbitrary code execution on the web server.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Remediation

Vendor Solution

Update the WordPress Château Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Upgrade the WordPress Château Theme to version 1.3 or later.
  • Deactivate or uninstall the Château theme until the update is applied.
  • Ensure that any serialization handling in the theme is removed or sanitized, avoiding the use of PHP’s unserialize on untrusted data.

Generated by OpenCVE AI on June 18, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes château
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes château
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Château <= 1.2.1 versions.
Title WordPress Château theme <= 1.2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Château
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:24.231Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40757

cve-icon Vulnrichment

Updated: 2026-06-17T14:11:05.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:16Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data