{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32502", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.663Z", "datePublished": "2026-03-25T16:15:00.990Z", "dateUpdated": "2026-03-25T16:15:00.990Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "borgholm-marketing-agency-theme", "product": "Borgholm", "vendor": "Select-Themes", "versions": [{"changes": [{"at": "1.6", "status": "unaffected"}], "lessThanOrEqual": "< 1.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.713Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.<p>This issue affects Borgholm: from n/a through < 1.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:00.990Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/borgholm-marketing-agency-theme/vulnerability/wordpress-borgholm-theme-1-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6."}], "id": "CVE-2026-32502", "lastModified": "2026-03-25T17:17:02.217", "metrics": {}, "published": "2026-03-25T17:17:02.217", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/borgholm-marketing-agency-theme/vulnerability/wordpress-borgholm-theme-1-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:32:52.186383+00:00", "value": {"mitigation_remediation": ["Update the Borgholm theme to version 1.6 or later.", "If an update is not available, deactivate or remove the theme from the WordPress site.", "Verify that no legacy files from the old theme remain on the server.", "Check the Select\u2011Themes website or reputable advisory sites for additional security notices or patches."], "summary": {"action": "Apply Patch", "impact": "Remote code execution via PHP object injection"}, "threat_synthesis": {"affected_systems": "All installations of the Borgholm marketing agency theme from its initial release through any version prior to 1.6 are susceptible. Any WordPress site using those versions is potentially exposed.", "description_and_impact": "The vulnerability results from unchecked deserialization of untrusted data in the Borgholm WordPress theme, allowing an attacker to inject arbitrary PHP objects. This flaw can directly lead to remote code execution or other unauthorized administrative actions, thereby compromising the confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "CVSS metrics are not disclosed, and the EPSS score is unavailable, so the precise likelihood of exploitation cannot be quantified. Despite this, the potential for remote code execution categorizes the vulnerability as high risk. The flaw can be triggered by any input that the theme processes without proper sanitization, and no special environmental conditions are required. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-03-25T21:47:37.569626+00:00", "updated": "2026-03-25T21:47:37.569720+00:00", "vendors": []}