{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24981", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:46.305Z", "datePublished": "2026-03-25T16:14:35.700Z", "dateUpdated": "2026-04-28T16:14:52.542Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "noo-visionary-core", "product": "Visionary Core", "vendor": "NooTheme", "versions": [{"changes": [{"at": "1.5.0", "status": "unaffected"}], "lessThanOrEqual": "1.4.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:42.092Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.<p>This issue affects Visionary Core: from n/a through <= 1.4.9.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.542Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/noo-visionary-core/vulnerability/wordpress-visionary-core-plugin-1-4-9-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:49:58.673537Z", "id": "CVE-2026-24981", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:14:33.016Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24981", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:49:58.673537Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:50:25.754Z"}}], "cna": {"title": "WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "NooTheme", "product": "Visionary Core", "versions": [{"status": "affected", "changes": [{"at": "1.5.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.9"}], "packageName": "noo-visionary-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:42.092Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/noo-visionary-core/vulnerability/wordpress-visionary-core-plugin-1-4-9-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.<p>This issue affects Visionary Core: from n/a through <= 1.4.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24981", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:14:33.016Z", "dateReserved": "2026-01-28T09:50:46.305Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:35.700Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en NooTheme Visionary Core noo-visionary-core permite la inyecci\u00f3n de objetos. Este problema afecta a Visionary Core: desde n/a hasta &lt;= 1.4.9."}], "id": "CVE-2026-24981", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:40.610", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/noo-visionary-core/vulnerability/wordpress-visionary-core-plugin-1-4-9-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Visionary Core", "source": "cna", "vendor": "NooTheme"}, "product": "visionary_core", "vendor": "nootheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:08:30.841095+00:00", "value": {"mitigation_remediation": ["Upgrade the Visionary Core plugin to version 1.4.10 or higher, which removes the deserialization vulnerability", "If an upgrade is not immediately possible, temporarily disable or remove the Visionary Core plugin to prevent exploitation", "Apply any additional security controls such as strict input validation or web application firewall rules to block malicious serialized payloads", "Monitor site logs for unusual deserialization activity and consider performing a security audit to detect potential compromise"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Visionary Core plugin from NooTheme that are version 1.4.9 or earlier are affected. Any site that has not yet upgraded beyond version 1.4.9 remains at risk.", "description_and_impact": "Deserialization of untrusted data in the NooTheme Visionary Core plugin enables object injection, allowing an attacker to create a malicious payload that is processed by the plugin\u2019s deserialization routine. This can trigger execution of arbitrary PHP code, leading to full compromise of the WordPress site\u2019s confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, while an EPSS score below 1% suggests a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of a high severity score and the ability to inject object payloads via web requests makes remote exploitation feasible. Attackers can craft requests containing malicious serialized objects and send them to the plugin\u2019s input handlers, potentially gaining full control over the server if the site accepts such input without proper filtering."}}}}, "created": "2026-03-25T21:34:28.415244+00:00", "updated": "2026-03-27T09:46:16.768031+00:00", "vendors": ["nootheme", "nootheme$PRODUCT$visionary_core", "wordpress", "wordpress$PRODUCT$wordpress"]}