{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23542", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-14T08:36:07.868Z", "datePublished": "2026-02-19T08:26:48.592Z", "dateUpdated": "2026-04-28T16:14:46.771Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "grandrestaurant", "product": "Grand Restaurant", "vendor": "ThemeGoods", "versions": [{"changes": [{"at": "7.0.11", "status": "unaffected"}], "lessThanOrEqual": "7.0.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:55.102Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.<p>This issue affects Grand Restaurant: from n/a through <= 7.0.10.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.771Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-10-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Grand Restaurant theme <= 7.0.10 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:34:50.538786Z", "id": "CVE-2026-23542", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:42:49.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T21:34:50.538786Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:34:11.960Z"}}], "cna": {"title": "WordPress Grand Restaurant theme <= 7.0.10 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeGoods", "product": "Grand Restaurant", "versions": [{"status": "affected", "changes": [{"at": "7.0.11", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "7.0.10"}], "packageName": "grandrestaurant", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:55.102Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-10-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.<p>This issue affects Grand Restaurant: from n/a through <= 7.0.10.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.771Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23542", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:46.771Z", "dateReserved": "2026-01-14T08:36:07.868Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:48.592Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeGoods Grand Restaurant grandrestaurant permite la inyecci\u00f3n de objetos. Este problema afecta a Grand Restaurant: desde n/a hasta &lt;= 7.0.10."}], "id": "CVE-2026-23542", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:12.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-theme-7-0-10-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Grand Restaurant", "source": "cna", "vendor": "ThemeGoods"}, "product": "grand_restaurant", "vendor": "themegoods"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T17:02:47.084188+00:00", "value": {"mitigation_remediation": ["Upgrade the Grand Restaurant theme to any non\u2011vulnerable released version by ThemeGoods (any version newer than 7.0.10).", "If an immediate upgrade cannot be performed, disable or remove the Grand Restaurant theme and switch to a secure alternative until a patch is available.", "Review and update all other WordPress components for similar deserialization flaws, and ensure that any functions accepting user input are hardened or removed."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected system is the WordPress Grand Restaurant theme, produced by ThemeGoods. Versions from the first release through 7.0.10 are susceptible. The problem resides in the theme\u2019s handling of serialized data rather than in WordPress core or other plugins.", "description_and_impact": "The vulnerability is an instance of insecure deserialization (CWE-502) in the Grand Restaurant WordPress theme. Untrusted serialized data can be supplied to the theme, allowing an attacker to instantiate arbitrary objects and execute code, which leads directly to remote code execution. This flaw enables an attacker to tamper with integrity and confidentiality of the site, potentially taking full control over the affected WordPress installation. The description does not specify any special authorization requirements, implying that the attack may be carried out via standard web requests that reach the theme\u2019s processing endpoints. The inference that the attack vector is remote via web requests is drawn from the lack of explicit authorization in the description.", "risk_and_exploitability": "With a CVSS score of 9.8 the vulnerability is considered critical. The EPSS score is less than 1%, reflecting a low probability of exploitation at the time of analysis, yet the lack of known exploitation (not listed in KEV) does not diminish the severity. The likely attack vector is remote via the WordPress web interface wherever the theme accepts serialized input; no additional authentication or privilege escalation steps are documented, suggesting that any authenticated user or possibly even unauthenticated users could be leveraged depending on how the theme processes incoming data. This inference is based solely on the absence of explicit authorization in the description."}}}}, "created": "2026-02-20T10:11:22.332931+00:00", "updated": "2026-04-16T17:15:17.973664+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$grand_restaurant", "wordpress", "wordpress$PRODUCT$wordpress"]}