{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:44.886Z", "dateUpdated": "2026-03-25T16:14:44.886Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "meloo", "product": "Meloo", "vendor": "rascals", "versions": [{"changes": [{"at": "2.8.2", "status": "unaffected"}], "lessThanOrEqual": "< 2.8.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:25.038Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.<p>This issue affects Meloo: from n/a through < 2.8.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:44.886Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/meloo/vulnerability/wordpress-meloo-theme-2-8-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2."}], "id": "CVE-2026-25358", "lastModified": "2026-03-25T17:16:46.877", "metrics": {}, "published": "2026-03-25T17:16:46.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/meloo/vulnerability/wordpress-meloo-theme-2-8-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:01:03.710164+00:00", "value": {"mitigation_remediation": ["Update the Meloo theme to version 2.8.2 or later."], "summary": {"action": "Immediate Patch", "impact": "PHP Object Injection leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress Meloo theme provided by rascals. Any installation using a version older than 2.8.2 is potentially vulnerable and should be considered affected.", "description_and_impact": "A deserialization flaw allows attackers to supply crafted data that creates arbitrary PHP objects. This object injection can enable execution of unintended code, compromising the integrity and confidentiality of the site. The weakness corresponds to CWE\u2011502, indicating that untrusted data was handled insecurely during deserialization.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS data is unavailable, but the capability for remote code execution suggests a high severity risk. The attack vector is inferred to involve submission of malicious serialized data to the theme\u2019s deserialization routine; the exact prerequisites (such as an authenticated user or specific action) are not detailed in the available data. The vulnerability is not currently listed in the CISA KEV catalog, indicating no known widespread exploitation yet, but the potential for serious impact warrants prompt action."}}}}, "created": "2026-03-25T21:44:54.886620+00:00", "updated": "2026-03-25T21:44:54.886650+00:00", "vendors": []}