{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27084", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:58.963Z", "datePublished": "2026-03-25T16:14:55.996Z", "dateUpdated": "2026-03-25T16:14:55.996Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "buisson", "product": "Buisson", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.1.11", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.310Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.<p>This issue affects Buisson: from n/a through <= 1.1.11.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.996Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/buisson/vulnerability/wordpress-buisson-theme-1-1-11-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Buisson theme <= 1.1.11 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11."}], "id": "CVE-2026-27084", "lastModified": "2026-03-25T17:16:56.133", "metrics": {}, "published": "2026-03-25T17:16:56.133", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/buisson/vulnerability/wordpress-buisson-theme-1-1-11-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:41:25.103753+00:00", "value": {"mitigation_remediation": ["Update the Buisson theme to a version higher than 1.1.11 once an official patch is released.", "If an update is not yet available, deactivate or uninstall the Buisson theme to eliminate the attack surface.", "Verify that no suspicious code or objects exist in the theme\u2019s files and monitor site logs for signs of exploitation."], "summary": {"action": "Update Theme", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The defect exists in the ThemeREX Buisson WordPress theme, affecting all releases up to and including version 1.1.11. WordPress sites that use this theme in any of those versions are impacted.", "description_and_impact": "This vulnerability enables PHP Object Injection through deserialization of untrusted data within the Buisson theme. An attacker who can supply malicious serialized objects may cause the theme to instantiate arbitrary objects, potentially leading to arbitrary code execution, data manipulation, or credential compromise on the affected WordPress site.", "risk_and_exploitability": "The CVE classification indicates a serious flaw (CWE-502). Although no EPSS score is available, the nature of object injection implies a high likelihood of exploitation if attackers can deliver crafted payloads, for example via theme input forms or data endpoints. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild, yet the potential remains significant for sites running the affected theme."}}}}, "created": "2026-03-25T21:43:52.943112+00:00", "updated": "2026-03-25T21:43:52.943157+00:00", "vendors": []}