Skip to main content

Woodmart CVE-2026-23971

| EUVD-2026-15544 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-03-25 Patchstack GHSA-7648-c8fp-vqw5
Deserialization Woodmart
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15544
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.1

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.

AnalysisAI

A PHP object injection vulnerability exists in the xtemos WoodMart WordPress theme through version 8.3.8, stemming from insecure deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can be instantiated during deserialization, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious serialized object to WoodMart
Exploit
Trigger unsafe deserialization in vulnerable code path
Execution
Inject arbitrary PHP object
Impact
Execute remote code on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires WoodMart theme version <= 8.3.8 installed on WordPress. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While CVSS and EPSS scores are not available, the underlying vulnerability class (CWE-502) is consistently rated as critical in security research due to its direct path to remote code execution in PHP environments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTTP request containing a serialized PHP object payload targeting a WoodMart form field, API endpoint, or theme option that accepts user input without proper validation. When the theme processes this input via unserialize(), the malicious object is instantiated, triggering a gadget chain within WordPress core or installed plugins (e.g., leveraging __destruct() or __wakeup() magic methods). …
Remediation Website administrators running WoodMart should immediately upgrade the theme to a version greater than 8.3.8 (check xtemos official website or WordPress.org theme repository for the latest patched version). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23971 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy