Description
Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5.
Published: 2026-02-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw is a deserialization of untrusted data in the Codetipi Valenti WordPress theme, allowing PHP object injection. This weakness, classified as CWE‑502, could potentially enable an attacker to execute code on the site, representing a high‑risk impact.

Affected Systems

All installations of the Valenti theme for WordPress versions 5.6.3.5 and earlier are affected. No specific WordPress core version is required; any site running the vulnerable theme is at risk.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is high severity, though its EPSS score of less than 1% indicates a very low probability of exploitation at present, and it is not listed in the KEV catalog. The likely attack vector is through user‑supplied input that the theme deserializes; a successful exploit would allow code execution within the WordPress web context. Because the fix is not publicly referenced, users should treat this flaw as an urgent risk.

Generated by OpenCVE AI on April 16, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Valenti theme to the latest released version that fixes the deserialization issue
  • If an update cannot be applied immediately, disable or remove the Valenti theme from the site
  • Configure the server to reject or sanitize serialized payloads, preventing PHP object deserialization from untrusted sources

Generated by OpenCVE AI on April 16, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Codetipi
Codetipi valenti
Wordpress
Wordpress wordpress
Vendors & Products Codetipi
Codetipi valenti
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5.
Title WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Codetipi Valenti
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:02.710Z

Reserved: 2026-01-14T08:36:07.869Z

Link: CVE-2026-23544

cve-icon Vulnrichment

Updated: 2026-02-19T21:31:34.772Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:12.340

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses