{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25400", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:12.987Z", "datePublished": "2026-03-25T16:14:48.183Z", "dateUpdated": "2026-03-25T16:14:48.183Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "apicona", "product": "Apicona", "vendor": "thememount", "versions": [{"lessThanOrEqual": "<= 24.1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.184Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.<p>This issue affects Apicona: from n/a through <= 24.1.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:48.183Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Apicona theme <= 24.1.0 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0."}], "id": "CVE-2026-25400", "lastModified": "2026-03-25T17:16:49.493", "metrics": {}, "published": "2026-03-25T17:16:49.493", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:54:15.580646+00:00", "value": {"mitigation_remediation": ["Update the Apicona theme to a version newer than 24.1.0", "Confirm that the updated theme no longer contains the vulnerable unserialize code", "If an update cannot be applied immediately, replace the theme with a secure alternative as a temporary measure", "Review and limit any user input that may be deserialized by the theme to reduce exploitation risk"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Apicona theme version 24.1.0 or earlier are affected. Site administrators should verify the theme version and determine whether the application is running a vulnerable release.", "description_and_impact": "The vulnerability is a Deserialization of Untrusted Data flaw in the Apicona theme that allows an attacker to inject malicious PHP objects during unserialization. This weakness, identified as CWE\u2011502, enables the attacker to potentially execute arbitrary code or cause other destructive effects on the WordPress site.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS data is unavailable, so a precise quantitative risk cannot be determined. However, the flaw can be triggered by sending crafted serialized data to the theme\u2019s processing routines, which may allow remote code execution. The most likely attack vector is through any input that the theme passes to PHP\u2019s unserialize function; this is inferred from the description and is not explicitly stated in the data. The vulnerability is not listed in the CISA KEV catalog, indicating that no publicly reported exploits are known at this time."}}}}, "created": "2026-03-25T21:44:36.455916+00:00", "updated": "2026-03-25T21:44:36.455949+00:00", "vendors": []}