Description
Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by deserializing untrusted data in the LoftOcean PatioTime theme. This flaw allows an attacker to inject malicious objects, which can lead to execution of arbitrary code, compromise of the site's integrity and confidentiality, and potentially full server compromise. The weakness is identified as CWE-502, indicating insecure deserialization. The impact could extend across any user who can submit data that is processed by the theme, meaning that a single compromised input could affect the entire WordPress site.

Affected Systems

All installations of the LoftOcean PatioTime theme earlier than version 2.1 are affected. The vulnerability statement lists the affected range as "from n/a through < 2.1," meaning that any release before 2.1 may contain the flaw. If the theme is deployed on a WordPress site, that site is at risk until the theme is upgraded or the vulnerable component removed.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits as of the last assessment. However, the likely attack vector is through web requests that are processed by the theme’s deserialization routine, such as form submissions or custom endpoints. Inference of the attack path is based on the nature of PHP object injection, which typically requires an attacker to supply a crafted serialized string to the vulnerable function.

Generated by OpenCVE AI on April 27, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PatioTime theme to version 2.1 or later, which removes the insecure deserialization code.
  • If an upgrade cannot be performed immediately, deactivate or disable the PatioTime theme to prevent any deserialization calls from accepting untrusted data.
  • Restrict any endpoints or form inputs that pass user-supplied data to the theme’s processes, ensuring only trusted administrators can trigger them.

Generated by OpenCVE AI on April 27, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Loftocean
Loftocean patiotime
Wordpress
Wordpress wordpress
Vendors & Products Loftocean
Loftocean patiotime
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.
Title WordPress PatioTime theme < 2.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Loftocean Patiotime
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:32:56.132Z

Reserved: 2025-12-15T10:00:44.501Z

Link: CVE-2025-67995

cve-icon Vulnrichment

Updated: 2026-02-24T20:53:51.650Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:05.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:00:13Z

Weaknesses