Description
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the NooTheme Visionary Core plugin enables object injection, allowing an attacker to create a malicious payload that is processed by the plugin’s deserialization routine. This can trigger execution of arbitrary PHP code, leading to full compromise of the WordPress site’s confidentiality, integrity, and availability.

Affected Systems

All installations of the WordPress Visionary Core plugin from NooTheme that are version 1.4.9 or earlier are affected. Any site that has not yet upgraded beyond version 1.4.9 remains at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while an EPSS score below 1% suggests a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of a high severity score and the ability to inject object payloads via web requests makes remote exploitation feasible. Attackers can craft requests containing malicious serialized objects and send them to the plugin’s input handlers, potentially gaining full control over the server if the site accepts such input without proper filtering.

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visionary Core plugin to version 1.4.10 or higher, which removes the deserialization vulnerability
  • If an upgrade is not immediately possible, temporarily disable or remove the Visionary Core plugin to prevent exploitation
  • Apply any additional security controls such as strict input validation or web application firewall rules to block malicious serialized payloads
  • Monitor site logs for unusual deserialization activity and consider performing a security audit to detect potential compromise

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nootheme
Nootheme visionary Core
Wordpress
Wordpress wordpress
Vendors & Products Nootheme
Nootheme visionary Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.
Title WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Nootheme Visionary Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:50:31.376Z

Reserved: 2026-01-28T09:50:46.305Z

Link: CVE-2026-24981

cve-icon Vulnrichment

Updated: 2026-03-26T15:50:25.754Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:40.610

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-24981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:16Z

Weaknesses