Description
Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection vulnerability exists in the Edge‑Themes Behold WordPress theme through version 1.5. By manipulating serialized PHP data, an attacker can cause the theme to instantiate objects without proper validation. This flaw enables the execution of arbitrary code on the web server, potentially compromising the confidentiality, integrity, and availability of the affected site.

Affected Systems

WordPress sites that use the Edge‑Themes Behold theme version 1.5 or earlier are affected. The vulnerability applies to all installations of this theme, regardless of the hosting environment. The exact cab allowed you update to a later release (1.6 or higher).

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers can reach the vulnerable code via the public web interface with no authentication required, making exploitation practically straightforward when the theme is in use.

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Remediation

Vendor Solution

Update the WordPress Behold Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Update the WordPress Behold Theme to version 1.6 or higher
  • If an immediate update is not possible, remove or disable the Behold theme from the WordPress installation
  • Monitor logs for abnormal activity such as attempted object deserialization or unexpected code execution

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes behold
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes behold
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Title WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Edge-themes Behold
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:37:33.148Z

Reserved: 2026-04-15T09:20:32.456Z

Link: CVE-2026-40760

cve-icon Vulnrichment

Updated: 2026-06-17T10:37:27.966Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:24Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data