{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24981", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.700Z", "dateUpdated": "2026-03-25T16:14:35.700Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "noo-visionary-core", "product": "Visionary Core", "vendor": "NooTheme", "versions": [{"changes": [{"at": "1.5.0", "status": "unaffected"}], "lessThanOrEqual": "<= 1.4.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:17.897Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.<p>This issue affects Visionary Core: from n/a through <= 1.4.9.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:35.700Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/noo-visionary-core/vulnerability/wordpress-visionary-core-plugin-1-4-9-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9."}], "id": "CVE-2026-24981", "lastModified": "2026-03-25T17:16:40.610", "metrics": {}, "published": "2026-03-25T17:16:40.610", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/noo-visionary-core/vulnerability/wordpress-visionary-core-plugin-1-4-9-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Visionary Core", "source": "cna", "vendor": "NooTheme"}, "product": "visionary_core", "vendor": "nootheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:37:52.553919+00:00", "value": {"mitigation_remediation": ["Upgrade the NooTheme Visionary Core plugin to the latest available version that removes the deserialization flaw.", "If an immediate upgrade is not possible, disable the Visionary Core plugin until a patch is released.", "Restrict access to any endpoints the plugin exposes, allowing only authenticated administrators to interact with them.", "Monitor web and PHP error logs for signs of unauthorized object deserialization or code execution attempts.", "Verify after remediation that the site runs the protected plugin version and that deserialization is no longer possible."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress Visionary Core plugin from NooTheme, impacting all installed versions from the earliest release through version\u202f1.4.9 inclusive. Users running any of those versions are vulnerable.", "description_and_impact": "The vulnerability occurs when the NooTheme Visionary Core plugin deserializes untrusted data, allowing an attacker to inject a crafted PHP object. This PHP Object Injection can lead to arbitrary code execution on the host server and compromise the entire WordPress site, as indicated by its classification as a CWE\u2011502 issue.", "risk_and_exploitability": "Because object injection can enable remote code execution, the risk is high for a site that accepts user\u2011supplied input triggering the deserialization path. No EPSS score or KEV listing is available, but the absence of those metrics does not reduce the potential severity. The exploitation vector is likely an HTTP request that includes malicious serialized payloads; however, the precise prerequisites are not detailed in the advisory, so administrators should assume the vulnerability is exploitable by any actor who can supply crafted input."}}}}, "created": "2026-03-25T21:34:28.415244+00:00", "updated": "2026-03-26T11:39:42.994216+00:00", "vendors": ["nootheme", "nootheme$PRODUCT$visionary_core", "wordpress", "wordpress$PRODUCT$wordpress"]}