Description
Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Borgholm theme for WordPress suffers from a deserialization vulnerability that permits PHP Object Injection. An attacker who can supply crafted serialized data to the theme’s code can instantiate objects of classes controlled by the attacker, potentially leading to arbitrary code execution on the web server. The weakness is a classic untrusted deserialization flaw, identified as CWE‑502.

Affected Systems

The vulnerability affects all installs of the WordPress Borgholm marketing‑agency theme running any version prior to 1.6. The theme is distributed by Select‑Themes under the name Borgholm and is used as a WordPress plugin/theme. The specific product is the Borgholm theme, version range n/a through < 1.6.

Risk and Exploitability

The CVSS score of 9.8 highlights a critical severity, and the EPSS score of less than 1% suggests that the public exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog, but the potential for remote code execution remains high. From the description, it is inferred that the attack vector is remote via the theme’s handling of user‑supplied data, such as form submissions or URL parameters, that are deserialized without validation.

Generated by OpenCVE AI on March 26, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Borgholm theme to version 1.6 or later

Generated by OpenCVE AI on March 26, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes borgholm
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes borgholm
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.
Title WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Select-themes Borgholm
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:40:09.212Z

Reserved: 2026-03-12T11:12:07.663Z

Link: CVE-2026-32502

cve-icon Vulnrichment

Updated: 2026-03-26T15:39:54.199Z

cve-icon NVD

Status : Received

Published: 2026-03-25T17:17:02.217

Modified: 2026-03-26T16:16:09.447

Link: CVE-2026-32502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:59Z

Weaknesses