Description
Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the park_of_ideas KIDZ WordPress theme allows PHP Object Injection due to deserialization of untrusted data. This flaw, classified as CWE‑502, enables an attacker to instantiate arbitrary PHP objects when the theme processes incoming data. When successfully exploited, the attacker can execute arbitrary PHP code on the affected WordPress installation, compromising confidentiality, integrity, and availability of the site.

Affected Systems

All releases of the KIDZ theme from the initial version through version 5.24 are affected, regardless of the underlying WordPress core version. The theme, distributed by park_of_ideas and referred to as KIDZ, presents the vulnerability whenever it is present in a WordPress site.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, yet the EPSS score of less than 1 % shows that exploitation is currently rare. The likely attack vector is network‑based delivery of a crafted serialized payload to the theme’s processing endpoint. Based on the description, it is inferred that an attacker could transmit malicious data via HTTP requests that trigger PHP’s unserialize function. Successful exploitation would grant remote code execution. Although the vulnerability is not yet listed in CISA’s KEV catalog, its high severity and potential for complete site compromise demand immediate action.

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KIDZ theme to any release newer than 5.24 or apply the vendor‑supplied patch as noted in the advisory.
  • If an update is not yet possible, deactivate or remove the KIDZ theme from the WordPress installation or replace it with a non‑vulnerable alternative.
  • Keep the WordPress core and all other plugins at their latest secure versions to reduce overall attack surface.
  • Verify that no exposed endpoints accept serialized data; if any exist, sanitize inputs or eliminate those functionalities.
  • Monitor server logs for abnormal unserialize activity or signs of exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Park Of Ideas
Park Of Ideas kidz
Wordpress
Wordpress wordpress
Vendors & Products Park Of Ideas
Park Of Ideas kidz
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24.
Title WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Park Of Ideas Kidz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:07.832Z

Reserved: 2026-01-28T09:52:08.057Z

Link: CVE-2026-25029

cve-icon Vulnrichment

Updated: 2026-03-26T15:48:08.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:42.577

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:10Z

Weaknesses