Description
Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the Dentario theme allows PHP object injection, a form of insecure deserialization that can enable remote code execution and full compromise of the affected WordPress site. The vulnerability is identified as CWE‑502 and satisfies the criteria for critical severity due to the ability to execute arbitrary code on the web server with the privileges of the web application. Exploiting this flaw would grant attackers control over the file system, database, and WordPress installation, potentially facilitating credential theft, defacement, or serving malware to site visitors.

Affected Systems

All WordPress installations that have the ThemeREX Dentario theme version 1.5 or earlier. The issue applies across every variant of the theme used in the public or private sites that have not applied the update past version 1.5.

Risk and Exploitability

The CVSS score of 9.8 marks this vulnerability as critical, and although the EPSS score is below 1 %—indicating a low probability of mass exploitation—it remains a high‑risk target for determined adversaries. The attack vector can be inferred as a remote request that triggers the theme’s deserialization logic, such as a crafted POST or GET payload to an admin or AJAX endpoint. Since the vulnerability is not listed in the CISA KEV catalog, there is currently no confirmed exploitation activity, but the potential for undisclosed or future attacks exists.

Generated by OpenCVE AI on April 15, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dentario to the latest version (any release newer than 1.5) where the insecure deserialization issue has been fixed.
  • If an update is unavailable, disable or replace the Dentario theme until a patched version is released to prevent the vulnerable code from executing.
  • Restrict access to WordPress admin and any AJAX endpoints used by the theme to trusted users or IP ranges, and validate or sanitize all external input before serialization to mitigate the risk of object injection.

Generated by OpenCVE AI on April 15, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex dentario
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex dentario
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5.
Title WordPress Dentario theme <= 1.5 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Dentario
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:17.140Z

Reserved: 2026-02-19T09:52:39.682Z

Link: CVE-2026-27439

cve-icon Vulnrichment

Updated: 2026-03-06T18:43:30.343Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:29.810

Modified: 2026-03-06T19:16:17.917

Link: CVE-2026-27439

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses