{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25360", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:45.362Z", "dateUpdated": "2026-03-25T16:14:45.362Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vex", "product": "Vex", "vendor": "rascals", "versions": [{"changes": [{"at": "1.2.9", "status": "unaffected"}], "lessThanOrEqual": "< 1.2.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:25.686Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.<p>This issue affects Vex: from n/a through < 1.2.9.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.362Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9."}], "id": "CVE-2026-25360", "lastModified": "2026-03-25T17:16:47.143", "metrics": {}, "published": "2026-03-25T17:16:47.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vex/vulnerability/wordpress-vex-theme-1-2-9-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:00:40.708934+00:00", "value": {"mitigation_remediation": ["Upgrade the Vex theme to version 1.2.9 or later.", "If an immediate update is not possible, disable or restrict any theme functionality that triggers deserialization or limit the exposure of those functions to external input.", "Review and sanitize all user input that could reach the vulnerable code path to ensure no unfiltered data is passed to deserialization routines.", "Monitor site logs for abnormal object instantiation or unexpected file execution that may indicate exploitation.", "Stay informed of vendor advisories and apply any subsequent patches promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All instances of the rascals Vex theme on WordPress sites that are running any version earlier than 1.2.9 are affected. This includes every release of Vex 1.2.8 and older, independent of the hosting environment or site size.", "description_and_impact": "The vulnerability is a deserialization of untrusted data in the rascals Vex WordPress theme that permits PHP object injection. When an attacker can supply crafted input processed by the theme, they can instantiate arbitrary object types that may lead to remote code execution. The weakness aligns with CWE\u2011502, indicating unsafe deserialization capable of changing program control flow.", "risk_and_exploitability": "No CVSS or EPSS score is available, but the potential for remote code execution places the issue in a high\u2011severity category. The attack vector is likely any path where untrusted data is deserialized by the theme\u2014such as form submissions, query strings, or content uploads. The vulnerability is not listed in the CISA KEV catalog, yet an attacker who can reach the vulnerable component can craft malicious payloads and trigger object injection without requiring additional privileges. Consequently, any site still using the unpatched theme should regard this situation as a critical risk if remediation has not been applied."}}}}, "created": "2026-03-25T21:44:53.043934+00:00", "updated": "2026-03-25T21:44:53.043960+00:00", "vendors": []}