Skip to main content

Love Story EUVD-2026-15791

| CVE-2026-27082 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-25 Patchstack GHSA-382x-9fjr-hvxc
Deserialization Love Story
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15791
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.

AnalysisAI

A PHP Object Injection vulnerability exists in ThemeREX Love Story WordPress theme through version 1.3.12, stemming from unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects that can lead to remote code execution or other object-oriented attack chains. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious serialized object to ThemeREX Love Story
Exploit
Trigger unsafe deserialization in plugin
Execution
Inject arbitrary PHP object
Impact
Execute remote code on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit ThemeREX Love Story plugin versions <= 1.3.12 via unsafe deserialization of untrusted data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment While CVSS and EPSS scores are unavailable, the underlying technical risk is high due to the nature of CWE-502 vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers that the Love Story theme accepts user input (such as through a contact form, AJAX endpoint, or theme option) that is passed to unserialize() without validation. The attacker crafts a malicious serialized PHP object using a gadget chain from WordPress core or a common plugin (e.g., one that uses __destruct to execute system commands) and sends it via POST request. …
Remediation Immediately update the ThemeREX Love Story theme to a version newer than 1.3.12 if a patched version is available from the vendor; check the Patchstack database entry and the theme's official repository (WordPress.org or ThemeREX's site) for the latest release. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-15791 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy