Description
Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the ThemeREX Love Story theme allows PHP object injection, a flaw classified as CWE‑502. The injection can enable an attacker who supplies crafted serialized input to instantiate arbitrary PHP objects, potentially leading to remote code execution or other severe consequences depending on the server configuration and plugins in use.

Affected Systems

The vulnerability affects the WordPress Love Story theme by ThemeREX, specifically versions from the initial release up through 1.3.12. Any WordPress site running one of these versions is potentially exposed.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS below 1% suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be remote, via maliciously crafted data sent to the theme’s deserialization logic, such as through form input or URL parameters. Without an available patch or mitigation from the vendor, an attacker could achieve full code execution on the affected server.

Generated by OpenCVE AI on March 26, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Love Story theme to the newest available version beyond 1.3.12.
  • If a timely upgrade is not feasible, immediately deactivate or remove the theme from the WordPress installation.
  • Implement input validation or sanitize data before deserialization to prevent untrusted data from reaching the vulnerable code.

Generated by OpenCVE AI on March 26, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex love Story
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex love Story
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.
Title WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Love Story
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:27:20.474Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27082

cve-icon Vulnrichment

Updated: 2026-03-26T15:26:58.910Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:55.827

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:20Z

Weaknesses