Description
Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Capella theme contains a deserialization flaw that allows an attacker to inject malicious PHP objects. Because the theme processes untrusted serialized data, an attacker can craft a payload that, when deserialized, results in arbitrary code execution on the host server. The flaw is identified as CWE‑502 and is rated with a CVSS score of 9.8, indicating a severe threat to confidentiality, integrity, and availability.

Affected Systems

This vulnerability affects the Capella theme from all unreleased releases through version 2.5.5. Any WordPress installation that has this theme or any older version deployed is potentially compromised. The vendor is ThemeGoods, and the product is the Capella WordPress theme.

Risk and Exploitability

The EPSS score of less than 1% suggests that the broader exploit probability is low, yet the high CVSS 9.8 severity signals that exploitation would be immediately damaging. The attack path does not require special environmental conditions; any legitimate route that triggers the theme’s deserialization logic can be abused. The vulnerability is not currently in the CISA KEV catalog, but an attacker could still target active installations if a malicious file or plugin supply chain path is available.

Generated by OpenCVE AI on April 27, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Capella theme to the latest available release (at least version 2.5.6).
  • Verify that the WordPress core and all plugins are updated to their latest versions to avoid potential secondary deserialization vectors.
  • If an immediate upgrade is not possible, deactivate or remove the Capella theme from the WordPress installation until a patched version can be applied.

Generated by OpenCVE AI on April 27, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themegoods
Themegoods capella
Wordpress
Wordpress wordpress
Vendors & Products Themegoods
Themegoods capella
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.
Title WordPress Capella theme <= 2.5.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themegoods Capella
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:55:57.311Z

Reserved: 2025-12-31T20:12:41.876Z

Link: CVE-2025-69370

cve-icon Vulnrichment

Updated: 2026-02-24T21:00:13.292Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:21.153

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses