Description
Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

A deserialization flaw in the rascals Vex theme allows an attacker to inject PHP objects into the system, potentially leading to remote code execution or similar malicious actions. The vulnerability arises from processing untrusted serialized data without proper validation, enabling arbitrary object creation if crafted input reaches backend logic. The impact spans privacy, integrity, and availability, allowing an attacker to run arbitrary code on the affected WordPress site.

Affected Systems

The issue affects the rascals Vex WordPress theme on all releases older than version 1.2.9. This includes every installation using any Vex version from the initial release up to, but not including, 1.2.9, typically found on standard WordPress installations.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity. EPSS indicates a low probability of exploitation, and the flaw is not listed in the CISA KEV catalog. The attack likely proceeds by sending a specially crafted serialized payload through a vulnerable input point in the theme, which, when deserialized, instantiates attacker‑controlled objects and executes code. No public exploit is documented in the CVE source, but the nature of object injection makes it a significant threat if combined with other vulnerabilities or elevated privileges.

Generated by OpenCVE AI on March 26, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Vex theme to version 1.2.9 or newer, removing the vulnerable code entirely. If an immediate update is not feasible, remove or disable the Vex theme and replace it with a secure alternative. Monitor application logs for abnormal object deserialization activity and restrict plugin input to trusted data only.

Generated by OpenCVE AI on March 26, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rascals
Rascals vex
Wordpress
Wordpress wordpress
Vendors & Products Rascals
Rascals vex
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.
Title WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Rascals Vex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.195Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25360

cve-icon Vulnrichment

Updated: 2026-03-26T15:42:59.724Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:47.143

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:55Z

Weaknesses