Description
Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the ThemeREX Good Energy theme allows PHP Object Injection, which can be leveraged by an attacker to execute arbitrary code on the affected WordPress site. The flaw arises from processing untrusted serialized input without adequate validation, exposing the site to severe confidentiality, integrity, and availability risks.

Affected Systems

The vulnerability impacts the Good Energy theme by ThemeREX, affecting all installations from the earliest available version through version 1.7.7. Any WordPress deployment using this theme is potentially exposed.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity. Although its EPSS score is below 1%, the high severity and the nature of the vulnerability make it an attractive target for attackers once access to the theme’s serialization endpoint is discovered. The vulnerability is not listed in the CISA KEV catalog but remains a high‑risk threat. The likely attack vector is via crafted HTTP requests that supply malicious serialized payloads to the theme’s deserialization processing code; the attacker can inject objects that execute arbitrary PHP code. A successful exploitation would grant the attacker full control over the affected web server.

Generated by OpenCVE AI on April 15, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Good Energy theme to the latest version (≥1.7.8) or later, which removes the vulnerable deserialization logic.
  • If upgrading is not immediately possible, deactivate or delete the Good Energy theme to eliminate the attack surface.
  • Implement strict input validation for any data deserialized by the theme and configure a Web Application Firewall to block suspicious serialized payloads.

Generated by OpenCVE AI on April 15, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex good Energy
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex good Energy
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.
Title WordPress Good Energy theme <= 1.7.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Themerex Good Energy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T17:44:45.609Z

Reserved: 2026-02-25T12:14:02.974Z

Link: CVE-2026-28105

cve-icon Vulnrichment

Updated: 2026-03-05T17:04:01.189Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:45.047

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28105

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses