Description
Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The WordPress Organici Library plugin contains a deserialization flaw that permits untrusted data to be processed as PHP objects. This deficiency, identified as CWE‑502, allows attackers to inject malicious objects that, when instantiated, can execute arbitrary code on the server. Successful exploitation results in full control of the WordPress installation and potentially the underlying hosting environment.

Affected Systems

All WordPress sites that have the NooTheme Organici Library plugin installed at version 2.1.2 or earlier are affected. The issue is triggered whenever the plugin processes serialized data through any of its public interfaces, such as AJAX or REST endpoints, when the plugin is active.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity that could lead to complete loss of system control. The EPSS score of less than 1 % indicates that exploitation is currently uncommon, yet the potential damage remains severe. The vulnerability is not listed in the CISA KEV catalog, reducing its visibility but not its danger. Based on the description, the likely attack vector is the unauthenticated delivery of a crafted serialized payload to a publicly accessible plugin endpoint, which triggers PHP object injection and remote code execution.

Generated by OpenCVE AI on March 26, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Organici Library plugin to the latest available version, which removes the deserialization vector
  • If an update cannot be applied immediately, restrict all plugin‑related AJAX/REST endpoints to authenticated users only and monitor for suspicious requests
  • Configure PHP to disable allow_url_fopen and enable safe_mode or similar mitigations to limit the impact of potential object injection

Generated by OpenCVE AI on March 26, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme organici Library
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme organici Library
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.
Title WordPress Organici Library plugin <= 2.1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Nootheme Organici Library
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:41:34.201Z

Reserved: 2026-01-28T09:50:41.579Z

Link: CVE-2026-24976

cve-icon Vulnrichment

Updated: 2026-03-26T15:41:30.687Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:39.897

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:19Z

Weaknesses