{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0677", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T17:39:35.855Z", "datePublished": "2026-03-20T09:31:42.957Z", "dateUpdated": "2026-04-28T16:14:40.444Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "totalcontest-lite", "product": "TotalContest Lite", "vendor": "TotalSuite", "versions": [{"lessThanOrEqual": "2.9.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "hhhai | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:02.454Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.<p>This issue affects TotalContest Lite: from n/a through <= 2.9.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.444Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/totalcontest-lite/vulnerability/wordpress-totalcontest-lite-plugin-2-9-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:48:58.164115Z", "id": "CVE-2026-0677", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:54:03.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0677", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T11:48:58.164115Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:53:48.720Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "hhhai | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "TotalSuite", "product": "TotalContest Lite", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.9.1"}], "packageName": "totalcontest-lite", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/totalcontest-lite/vulnerability/wordpress-totalcontest-lite-plugin-2-9-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.<p>This issue affects TotalContest Lite: from n/a through 2.9.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-20T09:31:42.957Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0677", "state": "PUBLISHED", "dateUpdated": "2026-03-20T11:54:03.981Z", "dateReserved": "2026-01-07T17:39:35.855Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-20T09:31:42.957Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en TotalSuite TotalContest Lite permite la inyecci\u00f3n de objetos. Este problema afecta a TotalContest Lite: desde n/a hasta 2.9.1."}], "id": "CVE-2026-0677", "lastModified": "2026-04-22T21:32:08.360", "metrics": {}, "published": "2026-03-20T10:16:18.257", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/totalcontest-lite/vulnerability/wordpress-totalcontest-lite-plugin-2-9-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.1]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "TotalContest Lite", "source": "cna", "vendor": "TotalSuite"}, "product": "totalcontest", "vendor": "totalsuite"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-02T03:00:02.903008+00:00", "value": {"mitigation_remediation": ["Update the TotalContest Lite plugin to version 2.9.2 or later, which removes the vulnerable deserialization logic.", "If an immediate upgrade is not feasible, disable the TotalContest Lite plugin or restrict its access to trusted administrators only.", "Validate and sanitize all data inputs that the plugin processes, ensuring that only legitimate serialized data is accepted.", "Monitor server logs for anomalous PHP object deserialization attempts and review any unauthorized file uploads."], "summary": {"action": "Immediate Patch", "impact": "Object Injection potentially enabling Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the TotalContest Lite plugin version 2.9.1 or earlier are at risk. The plugin is distributed by TotalSuite and is commonly named TotalContest Lite in plugin directories.", "description_and_impact": "TotalSuite\u2019s TotalContest Lite plugin processes serialized data without validating its source, creating a deserialization weakness that permits attackers to inject arbitrary PHP objects. The vulnerability can be exploited to craft a malicious payload that, when the plugin deserializes it, may execute code on the web server or manipulate application data, compromising confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "The EPSS score indicates a very low probability (<1%) that this flaw will be actively exploited in the wild, and it is not cataloged in CISA\u2019s KEV registry. The absence of a publicly disclosed exploit and the requirement for the attacker to supply crafted serialized data suggest that the attack vector is remote and requires some form of user or administrative interaction. Although the immediate risk level is low, the potential impact of Remote Code Execution warrants prompt attention."}}}}, "created": "2026-03-20T10:36:25.925519+00:00", "updated": "2026-04-02T07:59:34.050150+00:00", "vendors": ["totalsuite", "totalsuite$PRODUCT$totalcontest", "wordpress", "wordpress$PRODUCT$wordpress"]}