Skip to main content
CVE-2026-25031 CRITICAL PATCH Act Now

A PHP Object Injection vulnerability exists in the Tasty Daily WordPress theme (park_of_ideas) through version 1.27, caused by unsafe deserialization of untrusted data (CWE-502). This vulnerability allows attackers to inject arbitrary PHP objects, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. While no CVSS score or EPSS data is currently published, the vulnerability affects an active WordPress theme distribution and has been documented by Patchstack security researchers.

Deserialization Tasty Daily
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25030 CRITICAL PATCH Act Now

A PHP Object Injection vulnerability exists in the park_of_ideas Goldish theme due to insecure deserialization of untrusted data, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. The vulnerability affects Goldish versions prior to 3.47. While no CVSS score or EPSS data is publicly available, the CWE-502 classification indicates a serious deserialization flaw that could be exploited if untrusted data is processed without validation.

Deserialization Goldish
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25029 CRITICAL Act Now

A deserialization of untrusted data vulnerability exists in the park_of_ideas KIDZ theme that permits object injection attacks. All versions of KIDZ through 5.24 are affected, as confirmed via CPE cpe:2.3:a:park_of_ideas:kidz:*:*:*:*:*:*:*:*. An attacker can inject malicious serialized PHP objects to achieve arbitrary code execution or other unintended actions on affected WordPress installations running this theme.

Deserialization Kidz
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24989 CRITICAL PATCH Act Now

A PHP object injection vulnerability exists in FantasticPlugins SUMO Affiliates Pro due to unsafe deserialization of untrusted data (CWE-502). This allows attackers to inject malicious serialized objects, potentially achieving remote code execution or other arbitrary actions depending on available gadget chains in the WordPress environment. All versions before 11.4.0 are affected, and a patch has been made available by the vendor.

Deserialization Sumo Affiliates Pro
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24378 CRITICAL Act Now

This is a PHP Object Injection vulnerability in the Metagauss EventPrime WordPress plugin (eventprime-event-calendar-management) caused by unsafe deserialization of untrusted data. All versions up to and including 4.2.8.0 are affected, allowing attackers to inject malicious serialized objects that can lead to remote code execution or arbitrary actions depending on available PHP gadget chains. The vulnerability has been publicly disclosed and documented by Patchstack; exploitation likelihood and real-world impact depend on the presence of exploitable gadget chains in the target WordPress environment.

Deserialization Eventprime
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22507 CRITICAL Act Now

A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15515, indicating it is tracked in official vulnerability databases.

Deserialization Beelove
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22500 CRITICAL Act Now

A PHP object injection vulnerability exists in the Axiom Themes m2 | Construction and Tools Store theme through version 1.1.2, stemming from unsafe deserialization of untrusted data (CWE-502). This allows remote attackers to inject malicious serialized objects that can lead to arbitrary code execution or privilege escalation depending on available gadget chains in the WordPress environment. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability was reported by Patchstack and affects all installations running the vulnerable theme version.

Deserialization M2 Construction And Tools Store
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-32520 CRITICAL Act Now

RewardsWP, a WordPress plugin by Andrew Munro/AffiliateWP, contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows authenticated or unauthenticated attackers to escalate their privileges within the plugin and potentially the WordPress installation. Affected versions are RewardsWP up to and including 1.0.4. This vulnerability enables privilege escalation attacks, allowing attackers with limited access to gain elevated permissions and control over reward or affiliate functionality.

Privilege Escalation Rewardswp
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-27051 CRITICAL Act Now

An Incorrect Privilege Assignment vulnerability (CWE-266) exists in uxper Golo theme versions up to and including 1.7.0, enabling privilege escalation attacks. This WordPress theme vulnerability allows attackers to elevate their privileges within the application, potentially gaining unauthorized administrative access. The vulnerability was reported by Patchstack and affects all versions from an unspecified baseline through 1.7.0; no CVSS score, EPSS data, or active KEV status information is currently available.

Privilege Escalation Golo
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24971 CRITICAL Act Now

Elated-Themes Search & Go contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. All versions up to and including version 2.8 are affected. An attacker can exploit this flaw to escalate privileges within the WordPress environment, gaining unauthorized administrative or elevated capabilities. While CVSS and EPSS scores are not available, the vulnerability has been documented by security researcher Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15582, indicating it has received third-party security scrutiny.

Privilege Escalation Search Go
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24968 CRITICAL Act Now

This is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Xagio SEO WordPress plugin that allows privilege escalation. The vulnerability affects Xagio SEO versions up to and including 7.1.0.30. An attacker can exploit this flaw to elevate their privileges within the affected WordPress installation, potentially gaining administrative access or performing unauthorized actions. No CVSS score, EPSS data, or KEV status information is currently available, and the vulnerability has not been confirmed as actively exploited in the wild.

Privilege Escalation Xagio Seo
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-4784 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 PHP application allows unauthenticated remote attackers to execute arbitrary database queries through the serviceId parameter in /checkcheckout.php. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-23338 MEDIUM POC PATCH This Month

This vulnerability allows userspace applications to trivially trigger kernel warning backtraces in the AMD GPU (amdgpu) driver's user queue (userq) implementation by passing intentionally small num_fences values or exploiting legitimate growth between successive ioctl calls. While not a traditional security vulnerability enabling code execution or data theft, it constitutes an information disclosure issue through kernel log pollution and denial-of-service potential via warning spam. The Linux kernel across all versions utilizing the affected amdgpu userq code path is impacted, though the actual attack surface is limited to systems with AMD GPUs and unprivileged users with access to the amdgpu device interface.

Linux Information Disclosure Red Hat
NVD VulDB GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-2973 MEDIUM POC PATCH This Month

This vulnerability is a stored cross-site scripting (XSS) flaw in GitLab's Mermaid diagram rendering that allows authenticated users to inject arbitrary JavaScript code into other users' browsers through improperly sanitized entity-encoded content. The vulnerability affects GitLab CE/EE versions 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1, with a CVSS score of 5.4 (medium severity). A public proof-of-concept exploit is available on HackerOne, indicating active awareness in the security community.

Gitlab XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33701 CRITICAL PATCH NEWS Act Now

A deserialization vulnerability in OpenTelemetry Java instrumentation versions prior to 2.26.1 allows remote code execution when the RMI instrumentation endpoint processes untrusted data without serialization filters. The vulnerability affects applications using the OpenTelemetry Java agent with network-reachable RMI/JMX endpoints and gadget-chain-compatible libraries on the classpath. This was responsibly disclosed in coordination with Datadog, and a patch is available in version 2.26.1.

RCE Java Deserialization
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-32539 CRITICAL Act Now

A blind SQL injection vulnerability exists in the PublishPress Revisions WordPress plugin through version 3.7.23, allowing attackers to execute arbitrary SQL commands against the underlying database. The vulnerability affects all installations of PublishPress Revisions up to and including version 3.7.23, enabling attackers to extract sensitive data, modify database contents, or potentially achieve remote code execution depending on database permissions and WordPress configuration. No CVSS score or EPSS data is currently available, and KEV status is unknown, though the vulnerability has been documented by Patchstack security researchers with a public reference available.

SQLi Publishpress Revisions
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32499 CRITICAL Act Now

A blind SQL injection vulnerability exists in QuantumCloud ChatBot plugin affecting versions up to and including 7.7.9, allowing attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability impacts all installations of the ChatBot plugin across the affected version range, potentially enabling unauthorized data extraction, manipulation, or deletion depending on database permissions. While no CVSS score or EPSS data is currently available, the blind SQL injection classification indicates a high-risk condition requiring immediate patching.

SQLi Chatbot
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-31920 CRITICAL Act Now

A blind SQL injection vulnerability exists in the Product Rearrange for WooCommerce plugin (versions up to 1.2.2) that allows attackers to execute arbitrary SQL commands against the WooCommerce database without direct output visibility. This affects WordPress installations using the Devteam HaywoodTech product-rearrange-woocommerce plugin, enabling attackers to extract sensitive data, modify database records, or potentially escalate privileges. While no CVSS score or EPSS data is currently published, the vulnerability's classification as blind SQL injection combined with its presence in a publicly available WordPress plugin suggests moderate to high real-world risk of exploitation.

SQLi WordPress
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-25377 CRITICAL Act Now

A SQL injection vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting all versions through 3.0, that allows attackers to execute arbitrary SQL commands against the underlying database. The vulnerability stems from improper neutralization of special SQL characters in user-supplied input, classified under CWE-89 (SQL Injection). While no CVSS score or EPSS metric is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD tracking ID EUVD-2026-15695, indicating active awareness in vulnerability tracking systems.

SQLi Addon Jobsearch Chat
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-25371 CRITICAL Act Now

A blind SQL injection vulnerability exists in King-Theme's Lumise Product Designer WordPress plugin, allowing unauthenticated attackers to extract sensitive data through time-based or boolean-based SQL inference techniques without direct query result visibility. The vulnerability affects all versions of Lumise Product Designer prior to 2.0.9. Attackers can exploit this to bypass authentication, enumerate database schemas, or extract user credentials and plugin configuration data.

SQLi Lumise Product Designer
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-25340 CRITICAL PATCH Act Now

A blind SQL injection vulnerability exists in the NooTheme Jobmonster WordPress theme that allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability affects Jobmonster versions prior to 4.8.4, and while no active exploitation in the wild has been confirmed via KEV status, the vulnerability was disclosed by Patchstack with sufficient technical detail to enable exploitation. This is a critical web application flaw that could lead to complete database compromise, including extraction of sensitive user data, credentials, and job postings.

SQLi Jobmonster
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-24993 CRITICAL Act Now

A blind SQL injection vulnerability exists in WPFactory's Advanced WooCommerce Product Sales Reporting plugin (versions through 4.1.3) that allows attackers to execute arbitrary SQL commands against the underlying database. This WordPress plugin is widely deployed on e-commerce sites using WooCommerce, and the blind SQL injection technique enables attackers to extract sensitive data without requiring direct error message feedback. While no CVSS score, EPSS value, or KEV status has been assigned at this time, the vulnerability is classified as CWE-89 (SQL Injection) and has been documented by Patchstack, indicating active research and potential proof-of-concept availability.

WordPress SQLi
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-22484 CRITICAL Act Now

A SQL Injection vulnerability exists in Pebas Lisfinity Core, a WordPress plugin, affecting versions up to and including 1.5.0. This improper neutralization of special elements in SQL commands (CWE-89) allows attackers to inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or deletion of the underlying database. The vulnerability has been documented by Patchstack and assigned EUVD-2026-15489, though no CVSS score, EPSS data, or confirmed active exploitation status is currently available in the provided intelligence.

SQLi Lisfinity Core
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-28827 CRITICAL PATCH Act Now

Improper path validation in macOS (Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4) allows sandboxed applications to escape their sandbox restrictions through directory path traversal. A local attacker with the ability to run malicious apps can exploit this weakness to execute code outside sandbox boundaries with full system privileges. No patch is currently available for this critical vulnerability.

Apple Path Traversal macOS
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-2343 MEDIUM POC This Month

The PeproDev Ultimate Invoice WordPress plugin through version 2.2.5 contains an information disclosure vulnerability in its bulk download invoices feature, which generates ZIP archives with predictably named files containing exported invoice PDFs. An unauthenticated or low-privileged attacker can brute force the predictable ZIP file naming scheme to retrieve and download archives containing sensitive personally identifiable information (PII) from invoices. A public proof-of-concept exploit is available via WPScan, making this vulnerability actively exploitable in the wild.

WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-20688 CRITICAL PATCH Act Now

Sandbox escape vulnerability in Apple iOS, iPadOS, macOS, and visionOS allows local attackers to break out of application sandboxes through improper path validation, potentially enabling unauthorized access to system resources and data. An attacker with local access could leverage this flaw to execute arbitrary operations outside application boundaries and bypass security restrictions. No patch is currently available for this critical vulnerability affecting multiple Apple platforms.

Apple Path Traversal macOS iOS
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32573 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in Nelio AB Testing WordPress plugin through version 8.2.7 that allows attackers to execute arbitrary code on affected installations. The vulnerability affects the Nelio Software product across all versions up to and including 8.2.7, potentially enabling remote code execution (RCE). This is a critical severity issue as it permits unauthenticated or low-privilege attackers to gain complete control over WordPress sites running the vulnerable plugin.

Code Injection RCE Nelio Ab Testing
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25447 CRITICAL Act Now

A Code Injection vulnerability (CWE-94) exists in the Jonathan Daggerhart Widget Wrangler WordPress plugin through version 2.3.9, allowing unauthenticated attackers to execute arbitrary code on affected installations. This Remote Code Execution (RCE) vulnerability enables complete server compromise and data exfiltration. Active exploitation has been documented by Patchstack, indicating this is a practical, real-world threat requiring immediate patching.

Code Injection RCE Widget Wrangler
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-32524 CRITICAL Act Now

An unrestricted file upload vulnerability (CWE-434) exists in Jordy Meow's Photo Engine WordPress plugin versions up to and including 6.4.9, allowing attackers to upload malicious web shells to compromised servers. The vulnerability affects the wplr-sync component and permits arbitrary file uploads with dangerous types, potentially leading to remote code execution. No CVSS score, EPSS probability, or KEV status information is currently available, but the ability to upload executable web shells represents a critical exploitation path.

File Upload Photo Engine
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27071 CRITICAL Act Now

A missing authorization vulnerability exists in Arraytics WPCafe WordPress plugin versions up to 3.0.7, where incorrectly configured access control allows attackers to bypass authentication and authorization checks. This broken access control flaw (CWE-862) enables unauthorized users to perform actions they should not have permission to execute, potentially leading to unauthorized data access, modification, or plugin functionality abuse. The vulnerability affects all installations of WPCafe through version 3.0.7 and is tracked under ENISA EUVD ID EUVD-2026-15773 with confirmation from Patchstack vulnerability research.

Authentication Bypass Wpcafe
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-32991 CRITICAL Act Now

N2WS Backup & Recovery before version 4.4.0 contains a remote code execution vulnerability in its RESTful API that requires a two-step attack chain to exploit. An unauthenticated attacker can execute arbitrary code on affected systems, potentially compromising backup and disaster recovery infrastructure. This vulnerability affects the N2WS product line and should be treated as critical given the RCE classification and the security-sensitive nature of backup systems.

RCE Race Condition
NVD VulDB
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-32519 CRITICAL Act Now

Bit SMTP version 1.2.2 and earlier contains an Incorrect Privilege Assignment vulnerability (CWE-266) that allows privilege escalation attacks. The vulnerability affects the Bit SMTP WordPress plugin and permits attackers to elevate their privileges beyond their intended authorization level. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15882, indicating formal recognition of the security issue.

Privilege Escalation Bit Smtp
NVD VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-4758 HIGH This Week

Authenticated attackers with Subscriber-level access can delete arbitrary files on WordPress servers running WP Job Portal plugin versions up to 2.4.9, enabling remote code execution by removing critical files like wp-config.php. The vulnerability stems from insufficient file path validation in the removeFileCustom function. EPSS exploitation probability is 0.25% (48th percentile), indicating low predicted real-world exploitation likelihood, though the CVSS score of 8.8 reflects high potential impact when successfully exploited. No public exploit identified at time of analysis.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-1001 MEDIUM POC PATCH This Month

Domoticz versions prior to 2026.1 contain a stored cross-site scripting (XSS) vulnerability in the web interface's Add Hardware and device rename functionality that allows authenticated administrators to inject arbitrary JavaScript or HTML markup. The injected malicious code is stored persistently and executed in the browsers of any users viewing the affected pages, potentially enabling unauthorized session hijacking or malicious actions performed under the victim's privileges. A patch is available from the vendor, and while this requires administrator-level access to exploit, the persistent nature of the vulnerability and user interaction requirement represent moderate real-world risk within administrative environments.

XSS Domoticz
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-33686 HIGH PATCH This Week

Authenticated attackers can bypass file path restrictions in PHP's code16/sharp package by injecting path separators into file extensions, enabling arbitrary file writes outside intended directories. The vulnerability stems from incomplete input sanitization in the FileUtil class where extensions are extracted but never validated before being passed to storage functions. A patch is available to address this high-severity path traversal issue affecting all users of the vulnerable package.

Path Traversal PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-70887 HIGH PATCH This Week

A privilege escalation vulnerability exists in ralphje Signify versions prior to 0.9.2, affecting the signed_data.py and context.py components. Remote attackers can exploit this flaw to escalate privileges within the application's cryptographic signature verification context. While CVSS and EPSS scores are not currently available, the vulnerability has been patched in version 0.9.2 and related issues have been addressed in the upstream osslsigncode project.

Privilege Escalation Suse
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-32513 HIGH This Week

A deserialization of untrusted data vulnerability in the JS Archive List jQuery widget (jquery-archive-list-widget) versions up to 6.1.7 allows remote attackers to inject malicious objects and achieve code execution or information disclosure. The vulnerability affects WordPress installations using the vulnerable plugin versions, and exploitation requires sending crafted serialized PHP objects to the affected endpoint. No CVSS vector or EPSS score has been assigned, and KEV status is unknown, though the vulnerability was reported by Patchstack security researchers.

Deserialization Js Archive List
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33687 HIGH PATCH This Week

The code16/sharp Laravel admin panel package contains a critical file upload vulnerability that allows authenticated users to bypass all file type restrictions by manipulating client-controlled validation rules. Affected versions prior to 9.20.0 accept a user-supplied validation_rule parameter that is passed directly to Laravel's validator, enabling attackers to upload arbitrary files including PHP webshells. With a CVSS score of 8.8, this vulnerability can lead to Remote Code Execution when the storage disk is publicly accessible, though default configurations provide some protection against direct execution.

PHP File Upload RCE
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-67030 HIGH PATCH GHSA This Week

A directory traversal vulnerability exists in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils versions prior to commit 6d780b3378829318ba5c2d29547e0012d5b29642, allowing attackers to escape the intended extraction directory and write arbitrary files to the filesystem, potentially leading to remote code execution. The vulnerability affects any application using vulnerable versions of plexus-utils for archive extraction operations. A proof-of-concept has been publicly disclosed via a GitHub Gist, and the fix has been merged into the project repository.

Path Traversal RCE N A
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23514 HIGH PATCH This Week

An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.

Authentication Bypass Core
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33917 HIGH This Week

SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.

Openemr SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-32484 HIGH This Week

A PHP object injection vulnerability exists in BoldGrid weForms plugin through version 1.6.26 due to unsafe deserialization of untrusted data, allowing attackers to instantiate arbitrary objects and potentially execute remote code or manipulate application state. This affects WordPress installations using the vulnerable weForms plugin versions, and exploitation requires no authentication based on the deserialization attack vector. While no CVSS score or EPSS data is currently available, the CWE-502 classification and object injection capability represent a critical-severity issue typical of deserialization flaws that often lead to remote code execution.

Deserialization Weforms
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27045 HIGH This Week

A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. The vulnerability affects all installations of this plugin through version 1.6.2 and has been documented by Patchstack, though CVSS scoring and exploitation metrics are currently unavailable.

WordPress Deserialization
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25400 HIGH This Week

Apicona, a WordPress theme by thememount, contains a PHP object injection vulnerability stemming from unsafe deserialization of untrusted data (CWE-502). All versions through 24.1.0 are affected. An attacker can exploit this to inject arbitrary objects into the application, potentially leading to remote code execution or other malicious object manipulation depending on available gadget chains within the PHP environment.

Deserialization Apicona
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25360 HIGH PATCH This Week

A deserialization of untrusted data vulnerability exists in the Rascals Vex theme (CWE-502) that allows attackers to perform PHP object injection attacks. The vulnerability affects Vex versions prior to 1.2.9, as confirmed by Patchstack reporting and ENISA EUVD-2026-15684. An attacker exploiting this flaw can inject malicious serialized objects to achieve arbitrary code execution or other malicious outcomes depending on available PHP magic methods in the application environment.

Deserialization Vex
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25359 HIGH PATCH This Week

A deserialization of untrusted data vulnerability exists in Pendulum (a PHP datetime library) versions prior to 3.1.5, allowing attackers to perform object injection attacks. The vulnerability affects the rascals Pendulum library through unvalidated deserialization of user-supplied data. An attacker can exploit this to instantiate arbitrary PHP objects, potentially leading to remote code execution or other malicious outcomes depending on the application's gadget chain availability.

Deserialization Pendulum
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25358 HIGH PATCH This Week

A PHP Object Injection vulnerability exists in the Rascals Meloo WordPress theme due to unsafe deserialization of untrusted data, classified under CWE-502 (Deserialization of Untrusted Data). This vulnerability affects Meloo versions prior to 2.8.2 and allows attackers to inject malicious objects that could lead to remote code execution or other security compromises. While no CVSS score, EPSS probability, or KEV status has been publicly assigned, the vulnerability was reported by Patchstack and has been assigned ENISA EUVD tracking ID EUVD-2026-15679, indicating active monitoring by European vulnerability databases.

Deserialization Meloo
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24981 HIGH This Week

A PHP Object Injection vulnerability exists in NooTheme Visionary Core plugin versions up to and including 1.4.9, stemming from unsafe deserialization of untrusted data. An attacker can inject malicious serialized objects to achieve arbitrary code execution or other critical impacts depending on available magic methods in the WordPress environment. No CVSS score, EPSS data, or KEV confirmation is currently available; however, the vulnerability is documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15602.

Deserialization Visionary Core
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24978 HIGH This Week

A PHP Object Injection vulnerability exists in NooTheme Jobica Core plugin through version 1.4.1, stemming from unsafe deserialization of untrusted data. This affects WordPress installations using the vulnerable Jobica Core plugin, allowing attackers to inject malicious serialized objects that can lead to arbitrary code execution or information disclosure depending on available gadget chains. The vulnerability has been identified by Patchstack but lacks public CVSS scoring and KEV confirmation at this time.

Deserialization Jobica Core
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24976 HIGH This Week

A PHP Object Injection vulnerability exists in NooTheme's Organici Library plugin through version 2.1.2, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject arbitrary PHP objects into the application, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. No active exploitation in the wild (KEV status) or published proof-of-concept has been confirmed from available sources, but the vulnerability was reported by Patchstack and assigned EUVD-2026-15592, indicating it is tracked in official vulnerability databases.

Deserialization Organici Library
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
Prev Page 2 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy