Description
Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection via Deserialization
Action: Upgrade Theme
AI Analysis

Impact

The Archicon WordPress theme contains a deserialization flaw that accepts untrusted data and creates PHP objects from it, leading to arbitrary object injection as defined by CWE‑502. This weakness allows an attacker to introduce unintended objects into the application, potentially altering state or facilitating further exploitation; however, the official description does not confirm that it enables remote code execution.

Affected Systems

All installations of the Edge‑Themes Archicon theme with a version earlier than 1.7 are affected, regardless of any sub‑version designation. Both fresh WordPress deployments and existing sites that have not updated the theme are vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. An attacker is likely to exploit this flaw by supplying crafted serialized input to a function provided by the theme, possibly through form submissions, URL parameters, or other user‑supplied data. If successful, the injected objects could alter application behavior or interact with other components, representing a significant risk to confidentiality and integrity.

Generated by OpenCVE AI on March 26, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Archicon theme to version 1.7 or later as released by Edge‑Themes.
  • If an immediate update is not available, deactivate or remove the Archicon theme from the WordPress installation to remove the vulnerable code path.
  • Limit the exposure of untrusted data to the theme’s deserialization routine by restricting form inputs or URL parameters that can carry serialized payloads.
  • Monitor site logs for abnormal activity or errors that might indicate attempted exploitation of the deserialization vulnerability.

Generated by OpenCVE AI on March 26, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes archicon
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes archicon
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7.
Title WordPress Archicon theme < 1.7 - Arbitrary Object Instantiation vulnerability
Weaknesses CWE-502
References

Subscriptions

Edge-themes Archicon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:56:04.737Z

Reserved: 2026-03-12T11:12:07.664Z

Link: CVE-2026-32506

cve-icon Vulnrichment

Updated: 2026-03-26T15:56:00.823Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:02.750

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:55Z

Weaknesses