CVE-2026-40754 Elated-Themes CVE debrief

Who should care

WordPress administrators and security teams using the Roisin theme version 1.4 or earlier should prioritize patching this vulnerability to prevent potential code execution attacks.

Technical summary

CVE-2026-40754 is an unauthenticated PHP object injection vulnerability in the Roisin WordPress theme, affecting versions up to 1.4. The vulnerability has a CVSS score of 8.1 and is classified as High severity. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability. The weakness is categorized as CWE-502.

Defensive priority

High

Recommended defensive actions

• Apply patches or updates for the Roisin WordPress theme as soon as available.
• Restrict access to the WordPress installation to trusted users only.
• Implement a Web Application Firewall (WAF) to detect and block suspicious traffic.
• Regularly update and monitor the WordPress core, themes, and plugins.
• Consider using a security plugin to enhance WordPress security.

Evidence notes

The vulnerability information is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record was published on June 17, 2026, and last modified on the same day.

Official resources