Description
Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated PHP Object Injection in WordPress Léonie theme versions 1.2.1 and earlier allows an attacker to inject malicious objects into PHP's unserialize function, potentially yielding arbitrary code execution. This weakness is defined by CWE-502 and can compromise confidentiality, integrity, and availability of the affected site.

Affected Systems

Elated‑Themes’ WordPress Léonie theme 1.2.1 and older on any WordPress installation are vulnerable. The recommended fix is to upgrade to version 1.3 or later.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is unauthenticated, meaning any visitor could trigger it; the lack of listing in CISA’s KEV catalog indicates it has not been documented as a known exploited vulnerability. Prompt patching is advised to mitigate the risk of remote code execution.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Remediation

Vendor Solution

Update the WordPress Léonie Theme to the latest available version (at least 1.3).


OpenCVE Recommended Actions

  • Update the WordPress Léonie theme to the latest available version (at least 1.3).
  • If an immediate update is not possible, deactivate or remove the Léonie theme and switch to a secure fallback theme.
  • Monitor application logs for suspicious unserialize activity to detect any attempted exploitation.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes léonie
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes léonie
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Title WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Léonie
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:38:00.200Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40758

cve-icon Vulnrichment

Updated: 2026-06-17T10:37:55.609Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:41Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data