Description
Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The flaw is a PHP Object Injection vulnerability caused by the deserialization of untrusted data in the Work & Travel Company theme. An attacker can supply crafted serialized data that the theme blindly deserializes, allowing the creation of arbitrary PHP objects and execution of arbitrary code. This leads to full compromise of the WordPress site, including data theft, defacement, and potential pivot to other systems. The issue is identified as CWE‑502, insecure deserialization, and carries a CVSS score of 9.8.

Affected Systems

The vulnerability impacts the WordPress Work & Travel Company theme released by ThemeREX. All versions from the earliest release up through version 1.2 are affected. Any WordPress installation using this theme in those versions is potentially vulnerable.

Risk and Exploitability

The high CVSS score indicates a severe threat, yet the EPSS score of less than 1% suggests low current exploitation activity. Because the flaw enables remote code execution via a typical web request, any publicly exposed WordPress site running the affected theme faces a significant risk. The vulnerability is not listed in the CISA KEV catalog, but no official patch is currently available, so administrators must act quickly by upgrading or disabling the theme. An attacker could exploit this by sending a crafted payload to the site’s public interfaces, triggering deserialization and executing arbitrary code. The overall risk is high, warranting immediate attention and mitigation.

Generated by OpenCVE AI on March 26, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Work & Travel Company theme to a version newer than 1.2 when a patch is released.
  • If an immediate update is not possible, consider disabling the theme or switching to an alternative theme until a fix is available.
  • Review any serialized data handling in the theme to ensure it does not accept external input without validation.
  • Check with the vendor for additional security guidance or a formal patch release.

Generated by OpenCVE AI on March 26, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex work & Travel Company
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex work & Travel Company
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.
Title WordPress Work & Travel Company theme <= 1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Work & Travel Company
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:40:08.906Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27083

cve-icon Vulnrichment

Updated: 2026-03-26T15:39:50.322Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:55.960

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:19Z

Weaknesses