{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32507", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.664Z", "datePublished": "2026-03-25T16:15:03.836Z", "dateUpdated": "2026-03-25T20:26:52.764Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "leroux", "product": "Leroux", "vendor": "Elated-Themes", "versions": [{"changes": [{"at": "1.4", "status": "unaffected"}], "lessThanOrEqual": "< 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:39.785Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.<p>This issue affects Leroux: from n/a through < 1.4.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:03.836Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:25:27.199309Z", "id": "CVE-2026-32507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:26:52.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:25:27.199309Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:19:55.867Z"}}], "cna": {"title": "WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "Elated-Themes", "product": "Leroux", "versions": [{"status": "affected", "changes": [{"at": "1.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.4"}], "packageName": "leroux", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:39.785Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.<p>This issue affects Leroux: from n/a through < 1.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:03.836Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32507", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:26:52.764Z", "dateReserved": "2026-03-12T11:12:07.664Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:03.836Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4."}], "id": "CVE-2026-32507", "lastModified": "2026-03-25T21:16:42.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:02.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "leroux", "vendor": "elated-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T23:32:44.753874+00:00", "value": {"mitigation_remediation": ["Upgrade Elated-Themes Leroux to version 1.4 or later", "If an upgrade is not possible, sanitize or restrict any serialized data that the theme processes", "Disable or limit PHP functions that enable arbitrary object deserialization, such as unserialize, unless required by the theme"], "summary": {"action": "Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "Elated-Themes Leroux theme, versions prior to 1.4. Any WordPress installation that includes this theme and is running a version older than 1.4 is affected.", "description_and_impact": "The vulnerability allows attackers to inject arbitrary objects through the deserialization process of untrusted data within the Elated-Themes Leroux theme. This flaw falls under CWE\u2011502 and provides the potential for an attacker to alter application logic, gain unauthorized access, or execute code by crafting malicious serialized payloads. The impact is limited to the scope of the website that uses the theme and depends on the functions executed during deserialization.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity, suggesting significant but not critical risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The attack vector is inferred to be interaction with the theme's deserialization logic\u2014likely via crafted requests or inputs that trigger unserialization. If the theme processes user-supplied data without proper validation, the vulnerability could be exploited by a remote attacker with internet access to the WordPress site."}}}}, "created": "2026-03-25T21:47:32.891765+00:00", "updated": "2026-03-26T12:12:30.066107+00:00", "vendors": ["elated-themes", "elated-themes$PRODUCT$leroux", "wordpress", "wordpress$PRODUCT$wordpress"]}