{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32507", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.664Z", "datePublished": "2026-03-25T16:15:03.836Z", "dateUpdated": "2026-03-25T20:26:52.764Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "leroux", "product": "Leroux", "vendor": "Elated-Themes", "versions": [{"changes": [{"at": "1.4", "status": "unaffected"}], "lessThanOrEqual": "< 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:39.785Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.<p>This issue affects Leroux: from n/a through < 1.4.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:03.836Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:25:27.199309Z", "id": "CVE-2026-32507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:26:52.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:25:27.199309Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:19:55.867Z"}}], "cna": {"title": "WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "Elated-Themes", "product": "Leroux", "versions": [{"status": "affected", "changes": [{"at": "1.4", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.4"}], "packageName": "leroux", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:39.785Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.<p>This issue affects Leroux: from n/a through < 1.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:03.836Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32507", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:26:52.764Z", "dateReserved": "2026-03-12T11:12:07.664Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:03.836Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4."}], "id": "CVE-2026-32507", "lastModified": "2026-03-25T21:16:42.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:02.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/leroux/vulnerability/wordpress-leroux-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:30:53.548858+00:00", "value": {"mitigation_remediation": ["Update the Leroux theme to version 1.4 or later.", "If an update is not immediately possible, disable or remove the Leroux theme to prevent exploitation.", "Review any custom code that serializes/deserializes data within the theme and remove untrusted deserialization calls.", "Consider implementing a security plugin that restricts deserialization of arbitrary classes as an additional safeguard."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Elated-Themes Leroux theme for WordPress versions prior to 1.4 are affected, including all releases from the earliest available version through 1.3. The issue is present in every build that has not yet reached the 1.4 release. Users running this theme on their WordPress sites are at risk if the vulnerable version is active.", "description_and_impact": "The vulnerability arises from deserialization of untrusted data in the Elated-Themes Leroux WordPress theme, permitting arbitrary object instantiation. This flaw can enable an attacker to inject malicious objects that may lead to remote code execution or significant modification of site data. The weakness is classified under CWE\u2011502, which covers deserialization vulnerabilities allowing code injection.", "risk_and_exploitability": "Because the flaw permits arbitrary object creation, the potential impact is high, though the CVSS score is not provided. The exploit probability is unclear due to missing EPSS data, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely trigger the deserialization by supplying crafted data via a theme or plugin endpoint that accepts serialized input. This attack vector is inferred from the description of untrusted data deserialization and the nature of WordPress theme input handling. Exercising caution and applying the recommended upgrade is essential."}}}}, "created": "2026-03-25T21:47:32.891765+00:00", "updated": "2026-03-25T21:47:32.891796+00:00", "vendors": []}