Description
Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw in the BoldThemes Nestin WordPress theme that permits PHP Object Injection. This can enable an attacker to instantiate arbitrary PHP objects and potentially execute remote code, leading to complete compromise of the affected WordPress site. The weakness is classified as CWE‑502, which denotes insecure deserialization.

Affected Systems

Any instance of the BoldThemes Nestin theme with a version prior to 1.2.6 is impacted. This includes all versions listed as n/a through <1.2.6, meaning any deployment running a Nestin theme version older than 1.2.6 is vulnerable. WordPress sites that have not applied the 1.2.6 update remain at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and while the EPSS score of <1% suggests a very low current exploitation probability, the absence of the vulnerability from the CISA KEV list means there are no known large-scale active attacks. The likely attack vector is through the theme’s processing of user-supplied serialized data, such as form submissions or query parameters. An attacker who can inject malicious serialized payloads may trigger arbitrary code execution on the server.

Generated by OpenCVE AI on April 27, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Nestin theme to version 1.2.6 or later, which fixes the deserialization flaw.
  • If an immediate upgrade is not possible, disable the Nestin theme or switch to a different, secure theme to eliminate the attack surface.
  • Review any custom code that processes serialized data in the theme and ensure that only trusted data is deserialized, or remove such calls altogether.

Generated by OpenCVE AI on April 27, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Boldthemes
Boldthemes nestin
Wordpress
Wordpress wordpress
Vendors & Products Boldthemes
Boldthemes nestin
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.
Title WordPress Nestin theme < 1.2.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Boldthemes Nestin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:33:05.319Z

Reserved: 2025-12-15T10:00:44.501Z

Link: CVE-2025-67996

cve-icon Vulnrichment

Updated: 2026-02-24T20:58:36.056Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:05.907

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:00:13Z

Weaknesses