Description
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
Published: 2026-03-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Apply Patch
AI Analysis

Impact

The ColorFolio theme contains a flaw where it deserializes untrusted data, permitting object injection. While the CVE description does not explicitly state that code execution is achieved, object injection typically can lead to arbitrary code execution on a WordPress installation, potentially compromising confidentiality, integrity, and availability. The potential impact is therefore judged to be significant, but the exact consequence (e.g., remote code execution) is inferred based on the nature of the vulnerability rather than directly stated in the source.

Affected Systems

The vulnerability affects the BuddhaThemes ColorFolio - Freelance Designer WordPress Theme, specifically all releases from the earliest available version through version 1.3 inclusive. No additional sub‑product or variant information is provided.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, as the theme is accessible via a web interface and the deserialization routine could be triggered through a public‑facing form or API endpoint. This assessment of the attack vector is inferred from the description rather than explicitly documented in the CVE data. The overall risk is high due to the severity score and the potential for serious compromise if the flaw is exploited.

Generated by OpenCVE AI on March 19, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ColorFolio theme to a version newer than 1.3 (official patch or upgrade path).
  • If an immediate update is not possible, disable or delete the vulnerable theme and switch to a verified, secure alternative.

Generated by OpenCVE AI on March 19, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Buddhathemes
Buddhathemes colorfolio - Freelance Designer Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Buddhathemes
Buddhathemes colorfolio - Freelance Designer Wordpress Theme
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
Title WordPress ColorFolio - Freelance Designer WordPress Theme theme <= 1.3 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Buddhathemes Colorfolio - Freelance Designer Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-19T14:08:03.842Z

Reserved: 2026-02-17T13:24:05.456Z

Link: CVE-2026-27096

cve-icon Vulnrichment

Updated: 2026-03-19T14:07:56.034Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T06:16:25.190

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-27096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:54Z

Weaknesses