{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25032", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.543Z", "dateUpdated": "2026-03-26T15:40:08.691Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "ricky", "product": "Ricky", "vendor": "park_of_ideas", "versions": [{"changes": [{"at": "2.31", "status": "unaffected"}], "lessThanOrEqual": "< 2.31", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.415Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.<p>This issue affects Ricky: from n/a through < 2.31.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.543Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/ricky/vulnerability/wordpress-ricky-theme-2-31-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Ricky theme < 2.31 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:38:28.609077Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:40:08.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress Ricky theme < 2.31 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "park_of_ideas", "product": "Ricky", "versions": [{"status": "affected", "changes": [{"at": "2.31", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 2.31"}], "packageName": "ricky", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:20.415Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/ricky/vulnerability/wordpress-ricky-theme-2-31-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.<p>This issue affects Ricky: from n/a through < 2.31.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.543Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25032", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:38:28.609077Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T15:39:48.345Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-25032", "state": "PUBLISHED", "dateUpdated": "2026-03-25T16:14:38.543Z", "dateReserved": "2026-01-28T09:52:08.058Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:38.543Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31."}], "id": "CVE-2026-25032", "lastModified": "2026-03-26T16:16:06.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:42.967", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/ricky/vulnerability/wordpress-ricky-theme-2-31-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.31)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ricky", "source": "cna", "vendor": "park_of_ideas"}, "product": "ricky", "vendor": "park_of_ideas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:51:43.984005+00:00", "value": {"mitigation_remediation": ["Upgrade the Ricky theme to version 2.31 or later to remove the deserialization flaw.", "Verify the upgrade by checking the active theme version in the WordPress admin panel."], "summary": {"action": "Update Theme", "impact": "Object Injection via PHP deserialization"}, "threat_synthesis": {"affected_systems": "All installations of the Ricky theme from park_of_ideas with a version older than 2.31 are affected. No specific patch versions are provided beyond the 2.31 cutoff, so every site running a pre\u20112.31 release is at risk.", "description_and_impact": "The Ricky theme deserializes untrusted data, enabling object injection. This flaw can lead to creation of malicious objects that potentially execute arbitrary PHP code, threatening confidentiality, integrity and availability. The vulnerability is listed as CWE-502.", "risk_and_exploitability": "No CVSS score or EPSS score is publicly available, and the flaw is not listed in CISA\u2019s KEV catalog. The inherently high risk of PHP object injection, inferred from the description, suggests a high likelihood of exploitation when user input is deserialized without validation. The attack vector is inferred to be any context where the theme processes data that could be supplied by a user, such as widget inputs or form submissions."}}}}, "created": "2026-03-25T21:34:12.614466+00:00", "updated": "2026-03-26T11:39:27.680372+00:00", "vendors": ["park_of_ideas", "park_of_ideas$PRODUCT$ricky", "wordpress", "wordpress$PRODUCT$wordpress"]}