Description
Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves deserialization of untrusted data within the Halstein theme of WordPress, enabling attackers to inject arbitrary PHP objects. This object injection can result in remote code execution, allowing an attacker to run arbitrary code with the permissions of the web server, potentially compromising the entire site.

Affected Systems

All releases of the Halstein theme by Mikado‑Themes prior to version 1.8 are affected. Users running any of those earlier versions are exposed to the risk.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not included in CISA’s KEV catalog. Exploitation would typically involve supply of crafted serialized data—most likely through user‑submitted forms or data import features—though the exact attack vector is inferred from the nature of the weakness. Administrators should treat the issue as a moderate risk and act promptly to mitigate.

Generated by OpenCVE AI on March 26, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Halstein theme to version 1.8 or newer
  • Test site functionality after the update to confirm the vulnerability is resolved
  • If the update cannot be applied immediately, temporarily disable the theme until a patch is available

Generated by OpenCVE AI on March 26, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes halstein
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes halstein
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8.
Title WordPress Halstein theme < 1.8 - Arbitrary Object Instantiation vulnerability
Weaknesses CWE-502
References

Subscriptions

Mikado-themes Halstein
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:55:43.958Z

Reserved: 2026-03-12T11:12:13.805Z

Link: CVE-2026-32508

cve-icon Vulnrichment

Updated: 2026-03-26T15:55:41.039Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:03.010

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:54Z

Weaknesses