Skip to main content

Pelicula CVE-2026-32512

| EUVD-2026-15868 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-25 Patchstack GHSA-w68h-wpmm-q4p8
Deserialization Pelicula
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:48 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.10
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15868
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.

AnalysisAI

A PHP object injection vulnerability exists in the Edge-Themes Pelicula video production and movie theme due to insecure deserialization of untrusted data, classified as CWE-502. The vulnerability affects Pelicula versions prior to 1.10, allowing attackers to inject arbitrary objects and potentially achieve remote code execution or other malicious outcomes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious serialized PHP object
Exploit
Trigger deserialization in Pelicula theme
Execution
Inject arbitrary object properties
Impact
Achieve remote code execution
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit default Edge-Themes Pelicula WordPress theme versions before 1.10 by sending untrusted serialized data that triggers object deserialization without authentication or user interaction required. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Without a published CVSS score or EPSS probability metric, risk assessment relies on vulnerability class severity and attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers a WordPress site running Pelicula theme version 1.9 or earlier. If the theme contains an unauthenticated endpoint or a parameter that processes user input through unserialize(), the attacker crafts a malicious serialized PHP object targeting known gadgets in WordPress or installed plugins. …
Remediation Upgrade the Pelicula theme to version 1.10 or later immediately by accessing the WordPress admin dashboard, navigating to Appearance > Themes, and clicking the update button if available, or by downloading the patched version directly from the Edge-Themes website or WordPress.org theme repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress installations using Pelicula theme and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32512 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy