CVE-2026-25400 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thememount

Apicona

unaffected

Version	Status	Constraints
`n/a`	affected	≤ <= 24.1.0

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Thememount Subscribe	Apicona Subscribe
Wordpress Subscribe	Wordpress Subscribe

Project Subscriptions

Vendors	Products
Thememount Subscribe	Apicona Subscribe
Wordpress Subscribe	Wordpress Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Thememount Thememount apicona Wordpress Wordpress wordpress
Vendors & Products		Thememount Thememount apicona Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.
Title		WordPress Apicona theme <= 24.1.0 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:48.183Z

Updated: 2026-03-26T15:45:58.582Z

Reserved: 2026-02-02T12:53:12.987Z

Link: CVE-2026-25400

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:16:49.493

Modified: 2026-03-25T17:16:49.493

Link: CVE-2026-25400

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:38:31Z

Weaknesses

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25400", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.183Z", "dateUpdated": "2026-03-26T15:45:58.582Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "apicona", "product": "Apicona", "vendor": "thememount", "versions": [{"lessThanOrEqual": "<= 24.1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.184Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.<p>This issue affects Apicona: from n/a through <= 24.1.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.183Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Apicona theme <= 24.1.0 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:45:46.157908Z", "id": "CVE-2026-25400", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:45:58.582Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,24.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Apicona", "source": "cna", "vendor": "thememount"}, "product": "apicona", "vendor": "thememount"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:54:15.580646+00:00", "value": {"mitigation_remediation": ["Update the Apicona theme to a version newer than 24.1.0", "Confirm that the updated theme no longer contains the vulnerable unserialize code", "If an update cannot be applied immediately, replace the theme with a secure alternative as a temporary measure", "Review and limit any user input that may be deserialized by the theme to reduce exploitation risk"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Apicona theme version 24.1.0 or earlier are affected. Site administrators should verify the theme version and determine whether the application is running a vulnerable release.", "description_and_impact": "The vulnerability is a Deserialization of Untrusted Data flaw in the Apicona theme that allows an attacker to inject malicious PHP objects during unserialization. This weakness, identified as CWE\u2011502, enables the attacker to potentially execute arbitrary code or cause other destructive effects on the WordPress site.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS data is unavailable, so a precise quantitative risk cannot be determined. However, the flaw can be triggered by sending crafted serialized data to the theme\u2019s processing routines, which may allow remote code execution. The most likely attack vector is through any input that the theme passes to PHP\u2019s unserialize function; this is inferred from the description and is not explicitly stated in the data. The vulnerability is not listed in the CISA KEV catalog, indicating that no publicly reported exploits are known at this time."}}}}, "created": "2026-03-25T21:44:36.455916+00:00", "updated": "2026-03-26T11:38:31.863347+00:00", "vendors": ["thememount", "thememount$PRODUCT$apicona", "wordpress", "wordpress$PRODUCT$wordpress"]}