Description
Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data that allows PHP object injection in the Tasty Daily WordPress theme. Object injection can be leveraged to manipulate the application’s state and can ultimately lead to execution of arbitrary code on the server, compromising confidentiality, integrity, and availability of the hosting environment.

Affected Systems

WordPress installations running the park_of_ideas Tasty Daily theme prior to version 1.27 are affected. The vulnerability applies to all releases from the earliest available version through any version smaller than 1.27.

Risk and Exploitability

With a CVSS score of 9.8, the flaw is classified as critical. The EPSS score is below 1% and the issue is not in the CISA KEV catalog, suggesting that widespread automated exploitation is currently unlikely. However, the abuse path likely requires an attacker to trigger the deserialization process, possibly via a crafted request or unauthenticated access to a deserialization endpoint. If an attacker can supply arbitrary serialized data, they can gain code execution.

Generated by OpenCVE AI on March 26, 2026 at 18:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tasty Daily theme to version 1.27 or later. If an update is not immediately available, disable or replace the vulnerable theme. Verify that all other WordPress components are up to date. In the absence of an official patch, consider removing the theme entirely or disabling any features that trigger deserialization.

Generated by OpenCVE AI on March 26, 2026 at 18:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Park Of Ideas
Park Of Ideas tasty Daily
Wordpress
Wordpress wordpress
Vendors & Products Park Of Ideas
Park Of Ideas tasty Daily
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.
Title WordPress Tasty Daily theme < 1.27 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Park Of Ideas Tasty Daily
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:50:11.877Z

Reserved: 2026-01-28T09:52:08.058Z

Link: CVE-2026-25031

cve-icon Vulnrichment

Updated: 2026-03-26T15:48:06.385Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:42.837

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:08Z

Weaknesses