Security Advisory - Published 2026-06-17 - WordPress Theme

CVE-2026-40750: check Kids Online Store theme through 0.8.9

Patchstack lists CVE-2026-40750 as a dangerous file upload issue in the Kids Online Store WordPress theme through 0.8.9. If the theme is installed on a public site, check the theme version and the filesystem before treating the site as clean.

Defensive scope: this page is for WordPress sites you own or manage. It does not include upload payloads, vulnerable request examples, or unauthorized testing steps.

Who is affected

ThemeKids Online Store by themagnifico52
CVECVE-2026-40750
Affected rangeThrough 0.8.9, according to Patchstack
Main riskUpload of dangerous file types that may lead to server-side code execution
PriorityCritical. Check active and inactive theme folders.

10-minute site-owner check

wp theme list --fields=name,version,status
wp theme status kids-online-store 2>/dev/null
find wp-content/themes -maxdepth 3 -iname '*kids*online*store*' -o -iname '*online-store*'
find wp-content/uploads wp-content/themes -type f -mtime -10 | egrep -i '\\.php$|\\.phtml$|\\.phar$|\\.shtml$|\\.zip$|\\.ico$|\\.svg$'

If you do not have shell access, check Appearance -> Themes and the hosting file manager. Inactive theme folders still matter if vulnerable code remains in the web root.

What to review

  • Theme folders for Kids Online Store 0.8.9 or older.
  • Recently modified PHP-like files under uploads, themes, cache, backup, and temporary directories.
  • Unknown administrator users, changed email addresses, new application passwords, and new plugin/theme editor activity.
  • Changed .htaccess, Nginx rules, wp-config.php, cron entries, or unfamiliar mu-plugins.
  • Access logs for requests to newly created files after June 16, 2026.

Safe fix path

  1. Update Kids Online Store if a fixed release is available from the vendor.
  2. If no fixed release is available, switch to a maintained theme and remove the vulnerable theme folder.
  3. Block PHP execution under wp-content/uploads and other upload-like directories.
  4. Preserve suspicious files and logs before deletion so cleanup can be verified.
  5. Rotate WordPress admin, SFTP/FTP, database, hosting-panel, and API credentials if unknown files are found.

Compromise signs

  • New PHP, PHTML, PHAR, SHTML, or double-extension files in upload paths.
  • Theme files changed without a WordPress update or deployment.
  • Unexpected redirects, popups, SEO spam, hidden admin users, or scheduled tasks.
  • Security plugins disabled, logs missing, or file permissions changed to broad write access.

Repair help

Use Ping7 CVE Repair if Kids Online Store is present, the site accepted uploads, unknown files appear, or you cannot tell whether the theme was ever active. Send the domain, theme version, hosting type, and the first suspicious filename or timestamp.

References