PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40757 Mikado-Themes CVE debrief

The Château theme, version 1.2.1 or earlier, is vulnerable to an unauthenticated PHP object injection attack. This HIGH-severity vulnerability, with a CVSS score of 8.1, could allow attackers to execute arbitrary code on affected systems. Users of the Château theme should update to the latest version immediately. This vulnerability was made public on June 17, 2026. The vulnerability is tracked under CVE-2026-40757.

Vendor
Mikado-Themes
Product
Château
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of the Château theme version 1.2.1 or earlier should be aware of this vulnerability. Given its HIGH severity and potential for code execution, immediate action is recommended.

Technical summary

CVE-2026-40757 is an unauthenticated PHP object injection vulnerability in the Château theme for WordPress, affecting versions up to and including 1.2.1. The vulnerability allows attackers to inject malicious PHP objects, potentially leading to arbitrary code execution. The CVSS:3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a HIGH severity. This issue is classified under CWE-502.

Defensive priority

HIGH

Recommended defensive actions

  • Update the Château theme to the latest version.
  • Restrict access to sensitive areas of the website.
  • Monitor website activity for suspicious behavior.
  • Implement a Web Application Firewall (WAF).
  • Regularly update and patch all software and themes.
  • Use secure protocols for data transmission.
  • Educate users about secure practices.

Evidence notes

Information provided by Patchstack and NVD. The CVE was published and modified on June 17, 2026. Details are based on available data from these sources.

Official resources

public