{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24978", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.214Z", "dateUpdated": "2026-03-25T16:14:35.214Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jobica-core", "product": "Jobica Core", "vendor": "NooTheme", "versions": [{"changes": [{"at": "1.4.2", "status": "unaffected"}], "lessThanOrEqual": "<= 1.4.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:17.115Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.<p>This issue affects Jobica Core: from n/a through <= 1.4.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:35.214Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Jobica Core plugin <= 1.4.1 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1."}], "id": "CVE-2026-24978", "lastModified": "2026-03-25T17:16:40.180", "metrics": {}, "published": "2026-03-25T17:16:40.180", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jobica Core", "source": "cna", "vendor": "NooTheme"}, "product": "jobica_core", "vendor": "nootheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:38:41.757916+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Jobica Core plugin version once a fix is released.", "If a newer version is not yet available, temporarily disable the Jobica Core plugin to prevent exploitation.", "Review the plugin\u2019s code or configuration to ensure untrusted data is not passed to PHP unserialize functions.", "Implement application firewall rules to detect and block suspicious serialized payloads."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The affected vendor is NooTheme, and the product is the Jobica Core WordPress plugin. Versions from the initial release through 1.4.1 are vulnerable. Any WordPress installation that has this plugin installed within that version range is at risk.", "description_and_impact": "Jobica Core plugin deserializes untrusted data, enabling PHP object injection that can lead to remote code execution on a WordPress site. The flaw allows an attacker to manipulate serialized objects so that arbitrary PHP code is executed during unserialization. This threatens the confidentiality, integrity, and availability of the hosted site.", "risk_and_exploitability": "No CVSS score is provided, and the EPSS score is unavailable, so the objective severity cannot be quantified from the data. The vendor has not listed the vulnerability in CISA\u2019s KEV catalog. The likely attack vector involves sending crafted serialized payloads via web requests that trigger the plugin\u2019s unserialize logic. The lack of an official patch or workaround in the available references means the advice is to upgrade to a newer version once released or disable the plugin until a fix is available."}}}}, "created": "2026-03-25T21:34:31.301747+00:00", "updated": "2026-03-26T11:39:45.793498+00:00", "vendors": ["nootheme", "nootheme$PRODUCT$jobica_core", "wordpress", "wordpress$PRODUCT$wordpress"]}