{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27082", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:58.963Z", "datePublished": "2026-03-25T16:14:55.661Z", "dateUpdated": "2026-03-25T16:14:55.661Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "lovestory", "product": "Love Story", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.3.12", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.701Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.<p>This issue affects Love Story: from n/a through <= 1.3.12.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.661Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/lovestory/vulnerability/wordpress-love-story-theme-1-3-12-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12."}], "id": "CVE-2026-27082", "lastModified": "2026-03-25T17:16:55.827", "metrics": {}, "published": "2026-03-25T17:16:55.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/lovestory/vulnerability/wordpress-love-story-theme-1-3-12-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Love Story", "source": "cna", "vendor": "ThemeREX"}, "product": "love_story", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:42:14.649455+00:00", "value": {"mitigation_remediation": ["Upgrade the Love Story theme to version 1.3.13 or newer.", "If a newer version is unavailable, replace or deactivate the theme immediately.", "Verify the integrity of theme files before deployment.", "Restrict file uploads and monitor site logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the ThemeREX Love Story WordPress theme through version 1.3.12 and earlier. Users running any of these releases are potentially exposed.", "description_and_impact": "A deserialization flaw allows an attacker to inject malicious objects into the Love Story WordPress theme. If exploited, the attacker can execute arbitrary PHP code, compromising confidentiality, integrity, and availability of the site. This vulnerability aligns with CWE-502, describing unsafe deserialization of untrusted data.", "risk_and_exploitability": "No EPSS score is available and the flaw is not listed in the CISA KEV catalog, but its high impact warrants concern. The likely attack vector is through web requests that trigger deserialization, such as maliciously crafted form submissions or file uploads. Exploitation requires that untrusted data be processed by the vulnerable theme."}}}}, "created": "2026-03-25T21:43:54.862063+00:00", "updated": "2026-03-26T11:37:53.120377+00:00", "vendors": ["themerex", "themerex$PRODUCT$love_story", "wordpress", "wordpress$PRODUCT$wordpress"]}