Skip to main content

Organici Library CVE-2026-24976

| EUVD-2026-15592 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-03-25 Patchstack GHSA-85xp-wwwc-66g8
Deserialization Organici Library
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15592
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.

AnalysisAI

A PHP Object Injection vulnerability exists in NooTheme's Organici Library plugin through version 2.1.2, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject arbitrary PHP objects into the application, potentially leading to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to WordPress with low-privilege account
Delivery
Craft malicious serialized PHP object
Exploit
Send via vulnerable noo-organici-library function
Execution
Trigger unsafe unserialize()
Impact
Execute arbitrary code with plugin privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires authenticated user access to NooTheme Organici Library version <= 2.1.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While CVSS and EPSS scores are not provided, the underlying vulnerability class (CWE-502 deserialization flaws) is consistently rated as critical in CVSS when RCE is possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a vulnerable WordPress site could craft a malicious serialized PHP object payload and inject it through an unsanitized input vector in the Organici Library plugin (such as a form field, API endpoint, or cookie parameter). Upon deserialization, if suitable gadget chains exist in the WordPress environment, the attacker could instantiate dangerous objects that execute arbitrary PHP code, allowing them to gain full control of the WordPress installation, exfiltrate database contents, or pivot to further compromise the server.
Remediation Immediately upgrade the NooTheme Organici Library plugin to a version newer than 2.1.2 if available from the vendor; check the official Patchstack advisory and NooTheme's plugin repository for patched releases. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 7 days: Identify all affected systems and apply vendor patches promptly. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24976 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy