{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25029", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.057Z", "datePublished": "2026-03-25T16:14:37.998Z", "dateUpdated": "2026-03-26T15:50:12.015Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kidz", "product": "KIDZ", "vendor": "park_of_ideas", "versions": [{"changes": [{"at": "5.25", "status": "unaffected"}], "lessThanOrEqual": "<= 5.24", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:19.585Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.<p>This issue affects KIDZ: from n/a through <= 5.24.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:37.998Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:47:50.920465Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:50:12.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:47:50.920465Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:48:08.706Z"}}], "cna": {"title": "WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "park_of_ideas", "product": "KIDZ", "versions": [{"status": "affected", "changes": [{"at": "5.25", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 5.24"}], "packageName": "kidz", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:19.585Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.<p>This issue affects KIDZ: from n/a through <= 5.24.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:37.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25029", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:50:12.015Z", "dateReserved": "2026-01-28T09:52:08.057Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:37.998Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en park_of_ideas KIDZ kidz permite la inyecci\u00f3n de objetos. Este problema afecta a KIDZ: desde n/a hasta &lt;= 5.24."}], "id": "CVE-2026-25029", "lastModified": "2026-03-26T17:16:29.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:42.577", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.24]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KIDZ", "source": "cna", "vendor": "park_of_ideas"}, "product": "kidz", "vendor": "park_of_ideas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:12:39.503936+00:00", "value": {"mitigation_remediation": ["Upgrade the KIDZ theme to a version newer than 5.24", "Verify the integrity of theme files to ensure no tampering has occurred", "Monitor the theme vendor\u2019s security advisories for updates"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "Affected by this flaw are all installations of the park_of_ideas KIDZ theme with versions from the earliest available up to 5.24. Sites that have not yet updated beyond 5.24 remain vulnerable. The theme is usually used in WordPress sites, so the impact span is any WordPress installation deploying the vulnerable theme.", "description_and_impact": "This vulnerability is a deserialization of untrusted data flaw that allows PHP object injection in the WordPress KIDZ theme. The flaw can be exploited to execute arbitrary PHP code on the hosting server, potentially compromising confidentiality, integrity, and availability of the WordPress installation.", "risk_and_exploitability": "The CVSS score is not provided, but the manipulation needed to trigger the flaw appears to require sending a crafted serialized payload via an HTTP request. The lack of EPSS data means we cannot quantify exploit likelihood precisely. The vulnerability is not listed in the CISA KEV catalog. Accordingly, if the attacker can inject the payload, they can achieve remote code execution. The attack vector is inferred to be network-based: an external user could target the site with a malicious payload. The risk remains high if the theme is current or older, especially because the exploit can be carried out without authentication, as no mention of restricted access is given."}}}}, "created": "2026-03-25T21:34:15.495078+00:00", "updated": "2026-03-26T11:39:30.428664+00:00", "vendors": ["park_of_ideas", "park_of_ideas$PRODUCT$kidz", "wordpress", "wordpress$PRODUCT$wordpress"]}