Description
Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution potential
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that allows PHP object injection in the ThemeREX Buisson theme. If an attacker supplies crafted input during rendering or configuration, the theme may unserialize data that triggers arbitrary PHP code execution. Based on the description, it is inferred that exploitation could lead to remote code execution, allowing full compromise of the WordPress site.

Affected Systems

The issue affects ThemeREX Buisson installations running any released version up to and including 1.1.11 on WordPress sites. Sites that have not upgraded beyond that version are susceptible. No other vendors or products are listed.

Risk and Exploitability

The vulnerability has a CVSS base score of 9.8, indicating critical severity, while the EPSS score is below 1%, suggesting a low current exploitation chance. It is not listed in the CISA KEV catalog. The likely attack vector is through crafted HTTP requests or form submissions that trigger the theme’s deserialization routine; based on the description, it is inferred that successful exploitation would provide remote code execution or equivalent access. Administrators should treat this as a high‑priority issue.

Generated by OpenCVE AI on March 26, 2026 at 17:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Buisson theme to a version newer than 1.1.11.
  • If an update is not possible, disable or remove the theme until a fix is released.
  • Monitor site logs for unusual PHP activity.
  • Check for other WordPress themes that may have similar deserialization issues.

Generated by OpenCVE AI on March 26, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex buisson
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex buisson
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.
Title WordPress Buisson theme <= 1.1.11 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Buisson
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:01:26.562Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27084

cve-icon Vulnrichment

Updated: 2026-03-26T15:01:05.952Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:56.133

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27084

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:18Z

Weaknesses