Description
Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Patch
AI Analysis

Impact

The vulnerability in the Meloo WordPress theme permits the injection of malformed serialized data. When the theme processes this data using PHP’s unserialize routine, it creates PHP objects controlled by the attacker, which may lead to unauthorized actions within the application.

Affected Systems

All installations of the Meloo theme built by rascals that are earlier than version 2.8.2 are affected. The flaw exists regardless of the WordPress core version or other plugins installed. Any WordPress website that has deployed a vulnerable instance of the theme is therefore at risk.

Risk and Exploitability

The CVSS score of 8.8 signals a severe potential impact, while the EPSS score below 1% indicates that active exploitation is currently rare and the vulnerability is not listed in CISA’s KEV catalog. The likely attack avenue involves envi​ring the crafted serialized payload to the theme’s processing endpoint over the network, as the vulnerability is tied to the deserialization of untrusted data in a web context. The high severity score means that successful exploitation could grant considerable control if mitigations are missing, but the low probability of exploitation suggests that monitoring and preventive measures remain the most prudent approach.

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Meloo theme to version 2.8.2 or later.
  • If an update cannot be performed immediately, deactivate or remove the theme and switch to a safe default theme such as Twenty Twenty‑Three.
  • Examine any custom code or third‑party plugins that may invoke unserialize with untrusted data and eliminate or protect those calls.
  • Deploy a Web Application Firewall to detect and block malicious serialized payloads.
  • Regularly monitor server logs and perform security scans for signs of exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rascals
Rascals meloo
Wordpress
Wordpress wordpress
Vendors & Products Rascals
Rascals meloo
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.
Title WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Rascals Meloo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.183Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25358

cve-icon Vulnrichment

Updated: 2026-03-26T15:42:34.452Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:46.877

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:57Z

Weaknesses