{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32509", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:04.245Z", "dateUpdated": "2026-03-25T16:15:04.245Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "gracey", "product": "Gracey", "vendor": "Edge-Themes", "versions": [{"changes": [{"at": "1.4", "status": "unaffected"}], "lessThanOrEqual": "< 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:40.076Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.<p>This issue affects Gracey: from n/a through < 1.4.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:04.245Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/gracey/vulnerability/wordpress-gracey-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4."}], "id": "CVE-2026-32509", "lastModified": "2026-03-25T17:17:03.140", "metrics": {}, "published": "2026-03-25T17:17:03.140", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/gracey/vulnerability/wordpress-gracey-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:21:31.930817+00:00", "value": {"mitigation_remediation": ["Update the Gracey theme to version 1.4 or later, which removes the deserialization weakness.", "If an upgrade is not immediately possible, disable or uninstall the Gracey theme from the WordPress site.", "Verify that any data passed to PHP's unserialize function is properly validated or sanitized.", "Monitor web server and application logs for attempts to inject serialized data or unexpected object instantiations.", "Consider deploying security plugins that inspect or block serialized data to reduce exploitation risk."], "summary": {"action": "Immediate Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Edge\u2011Themes Gracey theme with a version less than 1.4 are affected. All releases up to, but not including, 1.4 contain the flaw, so any site running those versions is susceptible.", "description_and_impact": "The Gracey theme deserializes data from untrusted sources, enabling an attacker to inject arbitrary PHP object instances. This object injection flaw could allow modification of application flow or execution of unintended code. The vulnerability is classified as CWE\u2011502, a deserialization of untrusted data weakness.", "risk_and_exploitability": "Because the flaw involves unserialization of external input, attackers may craft a serialized payload and submit it through a form or URL that the theme processes. The CVSS score is not provided, and the EPSS score is unavailable, so the probability of exploitation is unclear. The CVE does not explicitly state that remote code execution is achieved, but it is inferred that malicious object instantiation could lead to that outcome if used with later application logic; therefore the risk is considered significant until mitigated."}}}}, "created": "2026-03-25T21:47:31.057461+00:00", "updated": "2026-03-25T21:47:31.057497+00:00", "vendors": []}