Leroux
Monthly
A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. While no CVSS score or active KEV status is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15861, indicating it is a recognized threat affecting WordPress installations using the vulnerable Leroux theme.
A deserialization of untrusted data vulnerability exists in Elated-Themes Leroux WordPress theme versions prior to 1.4, allowing unauthenticated attackers to perform arbitrary object instantiation through object injection attacks. An attacker can exploit this vulnerability to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. While no CVSS score or active KEV status is currently available, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2026-15861, indicating it is a recognized threat affecting WordPress installations using the vulnerable Leroux theme.