{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25360", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:45.362Z", "dateUpdated": "2026-03-26T15:43:02.865Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vex", "product": "Vex", "vendor": "rascals", "versions": [{"changes": [{"at": "1.2.9", "status": "unaffected"}], "lessThanOrEqual": "< 1.2.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:25.686Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.<p>This issue affects Vex: from n/a through < 1.2.9.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.362Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:42:50.477725Z", "id": "CVE-2026-25360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:43:02.865Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "rascals", "product": "Vex", "versions": [{"status": "affected", "changes": [{"at": "1.2.9", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.2.9"}], "packageName": "vex", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:25.686Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.<p>This issue affects Vex: from n/a through < 1.2.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.362Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:42:50.477725Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T15:42:59.724Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-25360", "state": "PUBLISHED", "dateUpdated": "2026-03-25T16:14:45.362Z", "dateReserved": "2026-02-02T12:52:48.541Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:45.362Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9."}], "id": "CVE-2026-25360", "lastModified": "2026-03-26T16:16:06.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:47.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Vex", "source": "cna", "vendor": "rascals"}, "product": "vex", "vendor": "rascals"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T17:41:06.505349+00:00", "value": {"mitigation_remediation": ["Update the Vex theme to version\u00a01.2.9 or newer, removing the vulnerable code entirely. If an immediate update is not feasible, remove or disable the Vex theme and replace it with a secure alternative. Monitor application logs for abnormal object deserialization activity and restrict plugin input to trusted data only."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the rascals Vex WordPress theme on all releases older than version\u00a01.2.9. This includes every installation using any Vex version from the initial release up to, but not including, 1.2.9, typically found on standard WordPress installations.", "description_and_impact": "A deserialization flaw in the rascals Vex theme allows an attacker to inject PHP objects into the system, potentially leading to remote code execution or similar malicious actions. The vulnerability arises from processing untrusted serialized data without proper validation, enabling arbitrary object creation if crafted input reaches backend logic. The impact spans privacy, integrity, and availability, allowing an attacker to run arbitrary code on the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this flaw as high severity. EPSS indicates a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack likely proceeds by sending a specially crafted serialized payload through a vulnerable input point in the theme, which, when deserialized, instantiates attacker\u2011controlled objects and executes code. No public exploit is documented in the CVE source, but the nature of object injection makes it a significant threat if combined with other vulnerabilities or elevated privileges."}}}}, "created": "2026-03-25T21:44:53.043934+00:00", "updated": "2026-03-27T09:45:55.806825+00:00", "vendors": ["rascals", "rascals$PRODUCT$vex", "wordpress", "wordpress$PRODUCT$wordpress"]}