Description
Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability in the NooTheme CitiLights WordPress theme is a PHP Object Injection flaw caused by deserialization of untrusted data. Attackers can supply crafted serialized payloads that result in the instantiation of arbitrary PHP objects when the theme processes them. The flaw, classified as CWE-502, may allow attackers to compromise the confidentiality, integrity, or availability of the site content and potentially other data stored by the WordPress installation.

Affected Systems

All WordPress installations that have the CitiLights theme running any version up to and including 3.7.1 are impacted. The issue affects the theme across all hosting environments where the theme is activated, regardless of server configuration.

Risk and Exploitability

With a CVSS base score of 8.8 the vulnerability is considered high severity, but the EPSS score of less than 1% indicates a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be any part of the theme that accepts serialized input, such as theme options or front‑end forms, which would allow an attacker to trigger the object injection.

Generated by OpenCVE AI on March 26, 2026 at 19:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NooTheme CitiLights theme to the latest version (greater than 3.7.1).
  • If an update is not yet available, deactivate or delete the theme from the WordPress site to eliminate the exposure.
  • Apply standard WordPress security hardening: limit file‑upload permissions, keep core WordPress and PHP up to date, and monitor logs for anomalous activity related to serialized data.
  • If uncertainty remains, contact NooTheme support for the latest patch information.

Generated by OpenCVE AI on March 26, 2026 at 19:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme citilights
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1.
Title WordPress CitiLights theme <= 3.7.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Nootheme Citilights
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:41:06.041Z

Reserved: 2026-01-28T09:50:41.578Z

Link: CVE-2026-24974

cve-icon Vulnrichment

Updated: 2026-03-26T15:40:57.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:39.620

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24974

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:20Z

Weaknesses