CVE-2026-40746 themagnifico52 CVE debrief

Who should care

Administrators of WordPress sites using the Restaurant Zone theme, particularly those allowing subscriber-level access, should prioritize updating to a patched version of the theme to prevent potential exploitation.

Technical summary

The Restaurant Zone theme for WordPress, version 0.7.8 and earlier, contains a vulnerability that allows subscribers to upload arbitrary files. This vulnerability is due to insufficient validation of file uploads, allowing an attacker to potentially upload malicious files that could be used for code execution or other malicious activities. The vulnerability has been assigned a CVSS score of 9.9, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and privileges.

Defensive priority

high

Recommended defensive actions

• Update the Restaurant Zone theme to a version that is not vulnerable.
• Restrict file uploads to trusted users only.
• Implement a Web Application Firewall (WAF) to detect and prevent suspicious file upload activity.
• Regularly monitor website activity for signs of exploitation.
• Consider using a security plugin to enhance WordPress security.
• Limit subscriber-level access to sensitive areas of the website.
• Perform regular security audits and vulnerability assessments.

Evidence notes

The vulnerability was reported by Patchstack and is tracked as CVE-2026-40746. The CVE record and NVD detail pages provide additional information about the vulnerability. [ref-4] provides mitigation details.

Official resources