{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24974", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:34.280Z", "dateUpdated": "2026-03-25T16:14:34.280Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "noo-citilights", "product": "CitiLights", "vendor": "NooTheme", "versions": [{"changes": [{"at": "3.7.2", "status": "unaffected"}], "lessThanOrEqual": "<= 3.7.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:15.749Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.<p>This issue affects CitiLights: from n/a through <= 3.7.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:34.280Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/noo-citilights/vulnerability/wordpress-citilights-theme-3-7-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress CitiLights theme <= 3.7.1 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1."}], "id": "CVE-2026-24974", "lastModified": "2026-03-25T17:16:39.620", "metrics": {}, "published": "2026-03-25T17:16:39.620", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/noo-citilights/vulnerability/wordpress-citilights-theme-3-7-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:30:56.315200+00:00", "value": {"mitigation_remediation": ["Upgrade the NooTheme CitiLights theme to the latest version available, which must be newer than 3.7.1 to remove the flaw.", "If an upgrade cannot be performed immediately, temporarily switch to a WordPress theme that is actively maintained and not affected by this issue.", "Disable any features or plugins within the theme that accept or serialize untrusted data until a secure version is installed.", "Verify that theme files have not been altered by unauthorized users and consider implementing file\u2011integrity monitoring.", "Regularly check NooTheme\u2019s security advisories for updates or patches."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the NooTheme CitiLights WordPress theme in versions 3.7.1 or earlier are affected. The issue applies to every release from the earliest available up to and including 3.7.1.", "description_and_impact": "The vulnerability is a PHP Object Injection flaw caused by deserialization of untrusted data in the NooTheme CitiLights theme. The flaw allows an attacker to instantiate arbitrary PHP objects and execute code, potentially compromising confidentiality, integrity, and availability of the WordPress site. The weakness matches CWE-502.", "risk_and_exploitability": "No CVSS score is supplied, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves HTTP requests or administrative interfaces that trigger the deserialization of data, a path inferred from the nature of the flaw. Successful exploitation can lead to remote code execution, making the risk significant for any site that allows unauthenticated or low\u2011privileged input to the vulnerable theme."}}}}, "created": "2026-03-25T21:34:35.254377+00:00", "updated": "2026-03-25T21:34:35.254487+00:00", "vendors": []}