Description
Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Gracey theme for WordPress contains a deserialization flaw that permits an attacker to inject an arbitrary PHP object by submitting crafted serialized data. This object injection can be used to instantiate objects with unintended parameters, leading to potential execution of malicious code on the web server. The flaw is identified as a deserialization of untrusted data weakness (CWE‑502).

Affected Systems

Vulnerable installations are those running the Edge‑Themes Gracey theme in any released version prior to 1.4. The affected range is unspecified beyond the upper bound of <1.4, meaning all earlier versions are susceptible. No specific revision numbers are provided, so users should consider any prior release insecure.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is below 1 %, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, relying on the public WordPress site; an attacker would need to supply malformed serialized input to the theme’s deserialization logic. Based on the description, it is inferred that successful exploitation requires carefully crafted payloads and bypassing input validation, but it could ultimately lead to remote code execution on the server.

Generated by OpenCVE AI on March 26, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gracey 1.4 or later
  • If upgrade is not immediately possible, replace or temporarily disable the Gracey theme

Generated by OpenCVE AI on March 26, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes gracey
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes gracey
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4.
Title WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability
Weaknesses CWE-502
References

Subscriptions

Edge-themes Gracey
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T13:33:35.628Z

Reserved: 2026-03-12T11:12:13.806Z

Link: CVE-2026-32509

cve-icon Vulnrichment

Updated: 2026-03-26T13:32:10.530Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:03.140

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:53Z

Weaknesses