Description
Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Pendulum WordPress theme contains a deserialization vulnerability that allows an attacker to inject arbitrary PHP objects. This PHP Object Injection can enable the execution of malicious code, granting the attacker full control over the affected website. The weakness can compromise the integrity and confidentiality of site data and potentially lead to remote code execution. It is classified as CWE‑502, indicating unsafe handling of serialized data.

Affected Systems

The vulnerable component is the Pendulum theme developed by rascals. All releases of Pendulum older than and including version 3.1.4 are affected; the problem is resolved in version 3.1.5 and later. Users running any prior version of the theme on WordPress should review their installation and determine whether an upgrade is required.

Risk and Exploitability

With a CVSS score of 8.8, the issue is considered high severity. The EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present, and the vulnerability has not yet been catalogued in the CISA KEV list. The attack vector is inferred to be remote, likely through a web interface that accepts serialized data, such as form submissions or query parameters, although the exact entry points are not specified in the description. The high exploitability rating combined with the limited occurrence suggests that targeted attacks on vulnerable sites, especially those exposed to the internet, remain the principal risk.

Generated by OpenCVE AI on March 26, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pendulum theme to version 3.1.5 or later
  • Verify that the active theme is the updated version before making the changes live
  • If an upgrade is not immediately possible, restrict access to the administration interface and monitor for suspicious activity until the patch can be applied
  • Check other plugins and core WordPress versions for additional serialization vulnerabilities

Generated by OpenCVE AI on March 26, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rascals
Rascals pendulum
Wordpress
Wordpress wordpress
Vendors & Products Rascals
Rascals pendulum
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.
Title WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Rascals Pendulum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:46:28.213Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25359

cve-icon Vulnrichment

Updated: 2026-03-26T15:46:24.429Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:47.010

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:56Z

Weaknesses