{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32512", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:05.596Z", "dateUpdated": "2026-03-25T16:15:05.596Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pelicula-video-production-and-movie-theme", "product": "Pelicula", "vendor": "Edge-Themes", "versions": [{"changes": [{"at": "1.10", "status": "unaffected"}], "lessThanOrEqual": "< 1.10", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.857Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.<p>This issue affects Pelicula: from n/a through < 1.10.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:05.596Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pelicula-video-production-and-movie-theme/vulnerability/wordpress-pelicula-theme-1-10-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Pelicula theme < 1.10 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10."}], "id": "CVE-2026-32512", "lastModified": "2026-03-25T17:17:03.543", "metrics": {}, "published": "2026-03-25T17:17:03.543", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/pelicula-video-production-and-movie-theme/vulnerability/wordpress-pelicula-theme-1-10-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:29:20.812730+00:00", "value": {"mitigation_remediation": ["Update the Pelicula theme to version 1.10 or later.", "Verify the currently installed theme version on your WordPress site.", "If an update is unavailable, remove the Pelicula theme or disable any of its serialization features.", "Audit the theme's use of unserialize to ensure no untrusted data is processed.", "Monitor server logs for unexpected PHP execution patterns or errors."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Edge-Themes Pelicula theme with a version earlier than 1.10 are susceptible. The issue applies to all versions from the theme's initial release up to and excluding 1.10.", "description_and_impact": "The vulnerability is a PHP object injection caused by deserializing untrusted data in the Pelicula video production and movie theme. An attacker can craft a serialized object that, when unserialized by the theme, may lead to remote code execution or other compromises. The weakness is classified as CWE-502: Deserialization of Untrusted Data.", "risk_and_exploitability": "No CVSS score, EPSS, or KEV data is provided, so the exact numerical risk is unknown. However, because the flaw permits object injection, it can allow an attacker to execute arbitrary PHP code on the affected server if the serialized payload is accepted. The probable attack vector involves supplying malicious serialized data through the theme's input handling mechanisms, such as form submissions or query parameters, leading to high risk for any site still running a vulnerable theme version."}}}}, "created": "2026-03-25T21:47:28.139523+00:00", "updated": "2026-03-25T21:47:28.139568+00:00", "vendors": []}