{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27083", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:58.963Z", "datePublished": "2026-03-25T16:14:55.830Z", "dateUpdated": "2026-03-26T15:40:08.906Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "work-travel-company", "product": "Work & Travel Company", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.999Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.<p>This issue affects Work & Travel Company: from n/a through <= 1.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.830Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/work-travel-company/vulnerability/wordpress-work-travel-company-theme-1-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Work & Travel Company theme <= 1.2 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27083", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:38:49.734157Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:40:08.906Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2."}], "id": "CVE-2026-27083", "lastModified": "2026-03-25T17:16:55.960", "metrics": {}, "published": "2026-03-25T17:16:55.960", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/work-travel-company/vulnerability/wordpress-work-travel-company-theme-1-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Work & Travel Company", "source": "cna", "vendor": "ThemeREX"}, "product": "work_&_travel_company", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:25:38.270292+00:00", "value": {"mitigation_remediation": ["Update the ThemeREX Work & Travel Company theme to the latest available version.", "If no update is available, consider deactivating or uninstalling the theme until a patch is released.", "Restrict the handling of serialized data within the theme to trusted sources.", "Monitor site logs for unexpected deserialization events or object instantiation.", "Apply general WordPress security practices, such as keeping core, plugins, and themes updated and using a web application firewall."], "summary": {"action": "Apply Patch", "impact": "Potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that is running ThemeREX Work & Travel Company theme version 1.2 or earlier is affected. The issue exists across all versions up to and including 1.2, so all sites that have not upgraded beyond that release are vulnerable.", "description_and_impact": "The vulnerability arises from the deserialization of untrusted data in the Work & Travel Company theme, enabling PHP Object Injection. This weakness, classified as CWE-502, could allow an attacker to craft malicious serialized input that, when processed by the theme, results in unintended code execution. The severity depends on the specific code paths exercised during deserialization.", "risk_and_exploitability": "The CVSS score is not disclosed, and the EPSS information is unavailable. The vulnerability is not listed in the CISA KEV catalog. Based on the nature of the weakness, the potential for remote code execution is inferred, and the likely attack vector would involve exploitation of any functionality that accepts serialized data, such as plugin interfaces or API endpoints. The exact likelihood of exploitation is unknown, but the potential impact is significant if the flaw is exploited."}}}}, "created": "2026-03-25T21:43:53.904492+00:00", "updated": "2026-03-26T11:37:52.174325+00:00", "vendors": ["themerex", "themerex$PRODUCT$work_&_travel_company", "wordpress", "wordpress$PRODUCT$wordpress"]}