Description
Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data occurs within the Noisa WordPress theme, enabling PHP Object Injection. The vulnerability allows an attacker to craft serialized input that creates malicious objects when processed by the theme. This can lead to arbitrary code execution, data disclosure, or other malicious actions on the affected website. The weakness corresponds to CWE‑502.

Affected Systems

The affected product is the WordPress Noisa theme from the vendor rascals. All releases up to version 2.6.0, inclusive, are vulnerable. No specific subversion details are provided beyond the "<= 2.6.0" boundary.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is considered critical. The EPSS score of less than 1% indicates that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the high severity and typical remote nature of PHP Object Injection suggest a likely attack vector of issuing crafted HTTP requests to the theme’s endpoints, potentially from unauthenticated or authenticated users depending on the exposed functionality. Prompt remediation is advised.

Generated by OpenCVE AI on April 29, 2026 at 14:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Noisa theme to a version newer than 2.6.0 that contains the vendor‑supplied fix for the PHP Object Injection flaw.
  • If an immediate upgrade is not feasible, disable or sanitize any theme functionality that processes serialized data, ensuring that only expected data types are accepted.
  • Apply standard input validation and type checks around the deserialization routines to prevent the creation of arbitrary objects, following industry best practices for CWE‑502 mitigations.
  • Regularly monitor the site for anomalous activity and conduct file integrity checks to detect any tampering with theme files.

Generated by OpenCVE AI on April 29, 2026 at 14:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in rascals Noisa noisa allows Object Injection.This issue affects Noisa: from n/a through <= 2.6.0.
Title WordPress Noisa theme <= 2.6.0 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:33:32.504Z

Reserved: 2025-09-25T15:19:17.076Z

Link: CVE-2025-60039

cve-icon Vulnrichment

Updated: 2025-10-23T15:01:19.036Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:56.533

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60039

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:30:13Z

Weaknesses