What is the CVSS score of CVE-2026-27096?

CVE-2026-27096 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of WordPress are affected by CVE-2026-27096?

The ColorFolio Freelance Designer WordPress theme contains a critical code execution vulnerability affecting any organization using this theme on WordPress sites.

How to fix or mitigate CVE-2026-27096?

Within 24 hours: Identify all WordPress installations using ColorFolio theme versions up to 1.3 and document inventory. Within 7 days: Implement compensating controls (WAF rules blocking suspicious serialized PHP objects, disable PHP object deserialization if possible, restrict administrative access, enable website activity monitoring). Within 30 days: Transition away from the vulnerable theme by upgrading to version 1.4+ when available or migrating to an alternative maintained WordPress theme.

WordPress CVE-2026-27096

EUVD-2026-13053 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-03-19 Patchstack

Deserialization WordPress

8.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.1 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:37 vuln.today

cvss_changed

EUVD ID Assigned

Mar 19, 2026 - 06:00 euvd

EUVD-2026-13053

Analysis Generated

Mar 19, 2026 - 06:00 vuln.today

CVE Published

Mar 19, 2026 - 05:31 nvd

HIGH 8.1

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.

AnalysisAI

The ColorFolio Freelance Designer WordPress Theme versions up to 1.3 contains a deserialization of untrusted data vulnerability that allows attackers to perform PHP Object Injection. This enables remote unauthenticated attackers to execute arbitrary code or manipulate application logic, though exploitation requires high attack complexity. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious serialized PHP object

Exploit

Submit through vulnerable deserialization endpoint

Execution

Trigger object injection in ColorFolio theme

Impact

Execute arbitrary code with WordPress privileges

Access

Craft malicious serialized PHP object

Exploit

Submit through vulnerable deserialization endpoint

Execution

Trigger object injection in ColorFolio theme

Impact

Execute arbitrary code with WordPress privileges

Vulnerability AssessmentAI

Exploitation	BuddhaThemes ColorFolio WordPress Theme versions up to 1.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS score of 8.1 (High) reflects significant potential impact with high confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker identifies a WordPress site running the ColorFolio theme version 1.3 or earlier. The attacker crafts a malicious serialized PHP object containing a payload designed to exploit available PHP gadget chains within the WordPress environment or theme dependencies. …
Remediation	Users should immediately upgrade the ColorFolio WordPress theme to a version newer than 1.3 if available from BuddhaThemes, or discontinue use of the theme if no patched version exists. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using ColorFolio theme versions up to 1.3 and document inventory. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8157 HIGH This Week POC

8.8 Jun 22

The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u

CVE-2026-8089 HIGH This Week POC

7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH This Week POC

7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-4259 HIGH This Week POC

7.1 Jun 22

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp

CVE-2026-6858 HIGH This Week POC

7.1 Jun 22

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen

CVE-2026-27096 vulnerability details – vuln.today

Back

WordPress CVE-2026-27096

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code