{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24974", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:34.280Z", "dateUpdated": "2026-04-28T16:14:52.209Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "noo-citilights", "product": "CitiLights", "vendor": "NooTheme", "versions": [{"changes": [{"at": "3.7.2", "status": "unaffected"}], "lessThanOrEqual": "3.7.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:51.541Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.<p>This issue affects CitiLights: from n/a through <= 3.7.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.209Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/noo-citilights/vulnerability/wordpress-citilights-theme-3-7-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress CitiLights theme <= 3.7.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:41:03.549318Z", "id": "CVE-2026-24974", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:57:21.814Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24974", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:41:03.549318Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:40:57.318Z"}}], "cna": {"title": "WordPress CitiLights theme <= 3.7.1 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NooTheme", "product": "CitiLights", "versions": [{"status": "affected", "changes": [{"at": "3.7.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "3.7.1"}], "packageName": "noo-citilights", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:51.541Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/noo-citilights/vulnerability/wordpress-citilights-theme-3-7-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.<p>This issue affects CitiLights: from n/a through <= 3.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.271Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24974", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:35:42.277Z", "dateReserved": "2026-01-28T09:50:41.578Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:34.280Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1."}, {"lang": "es", "value": "Deserializaci\u00f3n de Datos No Confiables vulnerabilidad en NooTheme CitiLights noo-citilights permite Inyecci\u00f3n de Objetos. Este problema afecta a CitiLights: desde n/a hasta &lt;= 3.7.1."}], "id": "CVE-2026-24974", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:39.620", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/noo-citilights/vulnerability/wordpress-citilights-theme-3-7-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.1]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 97.0, "source": "matching"}]}, "original": {"product": "CitiLights", "source": "cna", "vendor": "NooTheme"}, "product": "citilights", "vendor": "nootheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:09:27.403128+00:00", "value": {"mitigation_remediation": ["Update the NooTheme CitiLights theme to the latest version (greater than 3.7.1).", "If an update is not yet available, deactivate or delete the theme from the WordPress site to eliminate the exposure.", "Apply standard WordPress security hardening: limit file\u2011upload permissions, keep core WordPress and PHP up to date, and monitor logs for anomalous activity related to serialized data.", "If uncertainty remains, contact NooTheme support for the latest patch information."], "summary": {"action": "Patch Immediately", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the CitiLights theme running any version up to and including 3.7.1 are impacted. The issue affects the theme across all hosting environments where the theme is activated, regardless of server configuration.", "description_and_impact": "The vulnerability in the NooTheme CitiLights WordPress theme is a PHP Object Injection flaw caused by deserialization of untrusted data. Attackers can supply crafted serialized payloads that result in the instantiation of arbitrary PHP objects when the theme processes them. The flaw, classified as CWE-502, may allow attackers to compromise the confidentiality, integrity, or availability of the site content and potentially other data stored by the WordPress installation.", "risk_and_exploitability": "With a CVSS base score of 8.8 the vulnerability is considered high severity, but the EPSS score of less than 1% indicates a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be any part of the theme that accepts serialized input, such as theme options or front\u2011end forms, which would allow an attacker to trigger the object injection."}}}}, "created": "2026-03-25T21:34:35.254377+00:00", "updated": "2026-03-27T09:46:20.372938+00:00", "vendors": ["nootheme", "nootheme$PRODUCT$citilights", "wordpress", "wordpress$PRODUCT$wordpress"]}