{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24978", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.214Z", "dateUpdated": "2026-04-28T16:14:52.534Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jobica-core", "product": "Jobica Core", "vendor": "NooTheme", "versions": [{"changes": [{"at": "1.4.2", "status": "unaffected"}], "lessThanOrEqual": "1.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:47.642Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.<p>This issue affects Jobica Core: from n/a through <= 1.4.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.534Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Jobica Core plugin <= 1.4.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:41:49.284308Z", "id": "CVE-2026-24978", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:58:31.466Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24978", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.214Z", "dateUpdated": "2026-04-28T14:58:31.466Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jobica-core", "product": "Jobica Core", "vendor": "NooTheme", "versions": [{"changes": [{"at": "1.4.2", "status": "unaffected"}], "lessThanOrEqual": "1.4.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:47.642Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.<p>This issue affects Jobica Core: from n/a through <= 1.4.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.558Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Jobica Core plugin <= 1.4.1 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24978", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:41:49.284308Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:41:58.630Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en NooTheme Jobica Core jobica-core permite la inyecci\u00f3n de objetos. Este problema afecta a Jobica Core: desde n/a hasta &lt;= 1.4.1."}], "id": "CVE-2026-24978", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:40.180", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/jobica-core/vulnerability/wordpress-jobica-core-plugin-1-4-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jobica Core", "source": "cna", "vendor": "NooTheme"}, "product": "jobica_core", "vendor": "nootheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T17:42:57.584633+00:00", "value": {"mitigation_remediation": ["Verify the current version of the Jobica Core plugin installed on the WordPress site.", "Upgrade the plugin to the latest stable release, which is newer than version 1.4.1, following the vendor\u2019s update procedure.", "If an immediate update cannot be applied, disable or remove the plugin from the site until the update is installed.", "Review site audit logs for signs of exploitation or anomalous activity.", "Keep WordPress core, themes, and all other plugins updated to reduce overall risk."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "The NooTheme Jobica Core plugin for WordPress, versions up to and including 1.4.1, is vulnerable. The issue applies to any WordPress installation that uses a vulnerable release of the plugin; no specific PHP or OS versions are mentioned, so the flaw is broad in scope.", "description_and_impact": "Deserialization of untrusted data in the NooTheme Jobica Core WordPress plugin allows attackers to inject malicious PHP objects. This object injection falls under CWE\u2011502 and can permit the execution of arbitrary code inside the web site, jeopardizing confidentiality, integrity, and availability. The vulnerability can lead to a full takeover of a vulnerable WordPress site.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the risk as high, and the EPSS score of less than 1% indicates that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known active exploits at this time. Nonetheless, the flaw permits remote code execution when the plugin deserializes data submitted over the web interface, making the attack vector remote via the website."}}}}, "created": "2026-03-25T21:34:31.301747+00:00", "updated": "2026-03-27T09:46:17.625064+00:00", "vendors": ["nootheme", "nootheme$PRODUCT$jobica_core", "wordpress", "wordpress$PRODUCT$wordpress"]}