{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23971", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-19T16:14:52.936Z", "datePublished": "2026-03-25T16:14:29.883Z", "dateUpdated": "2026-04-28T16:14:47.256Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "woodmart", "product": "WoodMart", "vendor": "xtemos", "versions": [{"changes": [{"at": "8.3.9", "status": "unaffected"}], "lessThanOrEqual": "8.3.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:46.129Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.<p>This issue affects WoodMart: from n/a through <= 8.3.8.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.256Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-8-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress WoodMart theme <= 8.3.8 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:56:53.186773Z", "id": "CVE-2026-23971", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:47:51.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23971", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:56:53.186773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:57:03.974Z"}}], "cna": {"title": "WordPress WoodMart theme <= 8.3.8 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "xtemos", "product": "WoodMart", "versions": [{"status": "affected", "changes": [{"at": "8.3.9", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "8.3.8"}], "packageName": "woodmart", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:46.129Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-8-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.<p>This issue affects WoodMart: from n/a through <= 8.3.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23971", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:47:51.502Z", "dateReserved": "2026-01-19T16:14:52.936Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:29.883Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en xtemos WoodMart woodmart permite la inyecci\u00f3n de objetos. Este problema afecta a WoodMart: desde n/a hasta &lt;= 8.3.8."}], "id": "CVE-2026-23971", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-8-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.3.8]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[8.3.9,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WoodMart", "source": "cna", "vendor": "xtemos"}, "product": "woodmart", "vendor": "xtemos"}], "analysis": {"en": {"generated_at": "2026-04-07T02:30:26.404163+00:00", "value": {"mitigation_remediation": ["Update the WoodMart theme to any version newer than 8.3.8, such as 8.3.9", "If an immediate update is not possible, review the theme\u2019s code for calls to unserialize() and restrict them to known, trusted input or remove them outright", "Disable or sanitize any plugins or custom code that serializes user input before it is processed by the theme", "Ensure the entire WordPress installation and all plugins are updated to their latest security releases"], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of the WoodMart theme by xtemos up to and including version 8.3.8. Any site running one of these versions without an upgrade to 8.3.9 or later is exposed. Earlier releases are potentially affected as well unless explicitly patched for this issue.", "description_and_impact": "Deserialization of untrusted data in the WoodMart WordPress theme creates a PHP Object Injection weakness that allows an attacker to craft serialized payloads that become arbitrary PHP objects within the application. This flaw, identified as CWE\u2011502, can enable an attacker to execute custom code on the affected site, potentially leading to full site compromise.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of current exploitation, though the threat remains. The flaw is not listed in the CISA KEV catalogue. The likely attack vector is through any user-supplied data that the theme deserializes, such as query parameters, form submissions, or uploaded content. Based on the description, it is inferred that an attacker can trigger the vulnerability remotely by supplying crafted serialized input that the theme processes without proper validation."}}}}, "created": "2026-03-25T21:34:58.489279+00:00", "updated": "2026-04-07T08:08:58.315449+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xtemos", "xtemos$PRODUCT$woodmart"]}