{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:55.347Z", "datePublished": "2026-03-25T16:14:57.893Z", "dateUpdated": "2026-03-25T16:14:57.893Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "weforms", "product": "weForms", "vendor": "BoldGrid", "versions": [{"changes": [{"at": "1.6.27", "status": "unaffected"}], "lessThanOrEqual": "<= 1.6.26", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.697Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.<p>This issue affects weForms: from n/a through <= 1.6.26.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.893Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-26-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26."}], "id": "CVE-2026-32484", "lastModified": "2026-03-25T17:16:59.457", "metrics": {}, "published": "2026-03-25T17:16:59.457", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-26-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:09:31.401927+00:00", "value": {"mitigation_remediation": ["Update BoldGrid weForms to the latest version that removes the deserialization flaw.", "If a patch is not yet available, temporarily disable the weForms plugin or restrict its functionality until an updated release is released.", "Continuously monitor BoldGrid security advisories for updates or additional mitigation guidance."], "summary": {"action": "Patch Plugin", "impact": "Remote code execution via PHP object injection (inferred)"}, "threat_synthesis": {"affected_systems": "WordPress sites that host the BoldGrid weForms plugin version 1.6.26 or earlier. The issue is present in all releases from the earliest available version up to and including 1.6.26, regardless of form configuration.", "description_and_impact": "The weForms plugin for WordPress deserializes data from untrusted form submissions without validation, allowing PHP object injection. This flaw could enable an attacker to craft malicious payloads that, when deserialized, result in arbitrary code execution with the privileges of the WordPress site. The potential impact includes compromising site integrity, confidentiality, and availability, and may serve as a foothold for further system exploitation.", "risk_and_exploitability": "The CVSS score is not disclosed in the available information, but the nature of PHP object injection strongly suggests a high severity rating. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, so the exact likelihood of exploitation cannot be quantified. The likely attack vector involves submitting specially crafted data through form fields that the plugin processes during normal operation. Given the potential for remote code execution, the risk to affected sites is significant and warrants immediate attention."}}}}, "created": "2026-03-25T21:43:42.196278+00:00", "updated": "2026-03-25T21:43:42.196303+00:00", "vendors": []}