Description
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Patch
AI Analysis

Impact

The vulnerability allows attackers to inject arbitrary objects through the deserialization process of untrusted data within the Elated-Themes Leroux theme. This flaw falls under CWE‑502 and provides the potential for an attacker to alter application logic, gain unauthorized access, or execute code by crafting malicious serialized payloads. The impact is limited to the scope of the website that uses the theme and depends on the functions executed during deserialization.

Affected Systems

Elated-Themes Leroux theme, versions prior to 1.4. Any WordPress installation that includes this theme and is running a version older than 1.4 is affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity, suggesting significant but not critical risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation. The attack vector is inferred to be interaction with the theme's deserialization logic—likely via crafted requests or inputs that trigger unserialization. If the theme processes user-supplied data without proper validation, the vulnerability could be exploited by a remote attacker with internet access to the WordPress site.

Generated by OpenCVE AI on March 25, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Elated-Themes Leroux to version 1.4 or later
  • If an upgrade is not possible, sanitize or restrict any serialized data that the theme processes
  • Disable or limit PHP functions that enable arbitrary object deserialization, such as unserialize, unless required by the theme

Generated by OpenCVE AI on March 25, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes leroux
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes leroux
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.
Title WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability
Weaknesses CWE-502
References

Subscriptions

Elated-themes Leroux
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:26:52.764Z

Reserved: 2026-03-12T11:12:07.664Z

Link: CVE-2026-32507

cve-icon Vulnrichment

Updated: 2026-03-25T20:19:55.867Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:02.883

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:30Z

Weaknesses