Description
Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Deserialization of untrusted data in the WoodMart WordPress theme creates a PHP Object Injection weakness that allows an attacker to craft serialized payloads that become arbitrary PHP objects within the application. This flaw, identified as CWE‑502, can enable an attacker to execute custom code on the affected site, potentially leading to full site compromise.

Affected Systems

The vulnerability exists in all releases of the WoodMart theme by xtemos up to and including version 8.3.8. Any site running one of these versions without an upgrade to 8.3.9 or later is exposed. Earlier releases are potentially affected as well unless explicitly patched for this issue.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation, though the threat remains. The flaw is not listed in the CISA KEV catalogue. The likely attack vector is through any user-supplied data that the theme deserializes, such as query parameters, form submissions, or uploaded content. Based on the description, it is inferred that an attacker can trigger the vulnerability remotely by supplying crafted serialized input that the theme processes without proper validation.

Generated by OpenCVE AI on April 7, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WoodMart theme to any version newer than 8.3.8, such as 8.3.9
  • If an immediate update is not possible, review the theme’s code for calls to unserialize() and restrict them to known, trusted input or remove them outright
  • Disable or sanitize any plugins or custom code that serializes user input before it is processed by the theme
  • Ensure the entire WordPress installation and all plugins are updated to their latest security releases

Generated by OpenCVE AI on April 7, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xtemos
Xtemos woodmart
Vendors & Products Wordpress
Wordpress wordpress
Xtemos
Xtemos woodmart

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.
Title WordPress WoodMart theme <= 8.3.8 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
Xtemos Woodmart
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:04.041Z

Reserved: 2026-01-19T16:14:52.936Z

Link: CVE-2026-23971

cve-icon Vulnrichment

Updated: 2026-03-26T15:57:03.974Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:36.143

Modified: 2026-04-06T20:16:21.273

Link: CVE-2026-23971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:08:58Z

Weaknesses