{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23544", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-14T08:36:07.869Z", "datePublished": "2026-02-19T08:26:49.016Z", "dateUpdated": "2026-04-28T16:14:46.777Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "valenti", "product": "Valenti", "vendor": "codetipi", "versions": [{"lessThanOrEqual": "5.6.3.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:55.378Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.<p>This issue affects Valenti: from n/a through <= 5.6.3.5.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.777Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/valenti/vulnerability/wordpress-valenti-theme-5-6-3-5-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:32:16.979929Z", "id": "CVE-2026-23544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:43:09.726Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T21:32:16.979929Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:31:34.772Z"}}], "cna": {"title": "WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "codetipi", "product": "Valenti", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "5.6.3.5"}], "packageName": "valenti", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:14.757Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/valenti/vulnerability/wordpress-valenti-theme-5-6-3-5-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.<p>This issue affects Valenti: from n/a through <= 5.6.3.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23544", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:43:09.726Z", "dateReserved": "2026-01-14T08:36:07.869Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:49.016Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en codetipi Valenti valenti permite la inyecci\u00f3n de objetos. Este problema afecta a Valenti: desde n/a hasta &lt;= 5.6.3.5."}], "id": "CVE-2026-23544", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:12.340", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/valenti/vulnerability/wordpress-valenti-theme-5-6-3-5-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.6.3.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Valenti", "source": "cna", "vendor": "codetipi"}, "product": "valenti", "vendor": "codetipi"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T17:01:59.129584+00:00", "value": {"mitigation_remediation": ["Update the Valenti theme to the latest released version that fixes the deserialization issue", "If an update cannot be applied immediately, disable or remove the Valenti theme from the site", "Configure the server to reject or sanitize serialized payloads, preventing PHP object deserialization from untrusted sources"], "summary": {"action": "Immediate Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "All installations of the Valenti theme for WordPress versions 5.6.3.5 and earlier are affected. No specific WordPress core version is required; any site running the vulnerable theme is at risk.", "description_and_impact": "The flaw is a deserialization of untrusted data in the Codetipi Valenti WordPress theme, allowing PHP object injection. This weakness, classified as CWE\u2011502, could potentially enable an attacker to execute code on the site, representing a high\u2011risk impact.", "risk_and_exploitability": "With a CVSS score of 8.8, the vulnerability is high severity, though its EPSS score of less than 1% indicates a very low probability of exploitation at present, and it is not listed in the KEV catalog. The likely attack vector is through user\u2011supplied input that the theme deserializes; a successful exploit would allow code execution within the WordPress web context. Because the fix is not publicly referenced, users should treat this flaw as an urgent risk."}}}}, "created": "2026-02-20T10:11:20.485137+00:00", "updated": "2026-04-16T17:15:17.972929+00:00", "vendors": ["codetipi", "codetipi$PRODUCT$valenti", "wordpress", "wordpress$PRODUCT$wordpress"]}