Description
Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.
Published: 2025-10-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in the Goldenblatt WordPress theme can cause PHP Object Injection (CWE-502), which allows an attacker to execute arbitrary code on the server. This flaw enables the attacker to gain full control over the affected WordPress site, potentially compromising all data stored on the server.

Affected Systems

The vulnerability affects the BoldThemes Goldenblatt theme versions prior to 1.3.0. Any WordPress installation that is running Goldenblatt 1.2.1 or earlier is susceptible.

Risk and Exploitability

According to the CVSS score of 9.8, the risk is extremely high. The EPSS score of less than 1% indicates a low current exploitation probability, and the flaw is not listed in CISA’s KEV catalog. Nonetheless, because an attacker could inject malicious objects via application inputs, the flaw is considered remotely exploitable. Organizations should assume a high severity risk if the vulnerable theme remains active.

Generated by OpenCVE AI on April 29, 2026 at 20:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Goldenblatt theme to version 1.3.0 or later, which contains the fix for the deserialization issue.
  • If the theme is not needed, replace it with a trusted alternative or remove it from the WordPress installation.
  • For sites that must continue using the theme temporarily, audit any user‑controlled input paths to ensure no untrusted data is passed to unserialize() functions.

Generated by OpenCVE AI on April 29, 2026 at 20:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through <= 1.2.1. Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.
Title WordPress Goldenblatt theme <= 1.2.1 - PHP Object Injection vulnerability WordPress Goldenblatt theme < 1.3.0 - PHP Object Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through <= 1.2.1.
Title WordPress Goldenblatt theme <= 1.2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:41:44.825Z

Reserved: 2025-09-25T15:34:23.206Z

Link: CVE-2025-60214

cve-icon Vulnrichment

Updated: 2025-10-22T18:11:42.876Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:58.607

Modified: 2026-06-17T09:49:33.713

Link: CVE-2025-60214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data