Description
Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Esmée WordPress theme versions 1.4 and earlier contain an unauthenticated PHP Object Injection flaw that can allow an attacker to craft malicious object serialization data. This weakness is a classic instance of CWE-502 and, if exploited, can lead to arbitrary code execution or compromise of the web application, potentially exposing sensitive data or allowing full control of the WordPress site.

Affected Systems

The vulnerability affects Mikado-Themes' Esmée theme installed in WordPress environments running version 1.4 or any earlier release. No other products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The flaw is not currently listed in the CISA KEV catalog, and no public exploit has been reported. Attackers likely target the site via unauthenticated web requests that trigger the object injection mechanism, which could result in code execution if the environment processes the injected objects without proper validation.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Remediation

Vendor Solution

Update the WordPress Esmée Theme to the latest available version (at least 1.5).


OpenCVE Recommended Actions

  • Update the Esmée theme to version 1.5 or later, which removes the vulnerable code path.
  • Confirm that no legacy files from versions 1.4 or earlier remain on the server, as residual data could still expose the flaw.
  • If immediate version upgrade is not feasible, replace any user input that could be serialized with sanitized and validated data, and consider implementing a Web Application Firewall rule to block suspicious serialization patterns.

Generated by OpenCVE AI on June 17, 2026 at 19:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes esmée
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes esmée
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Title WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Esmée
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:37:46.720Z

Reserved: 2026-04-15T09:20:25.914Z

Link: CVE-2026-40759

cve-icon Vulnrichment

Updated: 2026-06-17T10:37:42.061Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:40Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data