{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25029", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.057Z", "datePublished": "2026-03-25T16:14:37.998Z", "dateUpdated": "2026-04-28T16:14:54.031Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kidz", "product": "KIDZ", "vendor": "park_of_ideas", "versions": [{"changes": [{"at": "5.25", "status": "unaffected"}], "lessThanOrEqual": "5.24", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:38.810Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.<p>This issue affects KIDZ: from n/a through <= 5.24.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.031Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:47:50.920465Z", "id": "CVE-2026-25029", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:26:36.771Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25029", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:47:50.920465Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:48:08.706Z"}}], "cna": {"title": "WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "park_of_ideas", "product": "KIDZ", "versions": [{"status": "affected", "changes": [{"at": "5.25", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.24"}], "packageName": "kidz", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:38.810Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.<p>This issue affects KIDZ: from n/a through <= 5.24.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.832Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25029", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:26:36.771Z", "dateReserved": "2026-01-28T09:52:08.057Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:37.998Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en park_of_ideas KIDZ kidz permite la inyecci\u00f3n de objetos. Este problema afecta a KIDZ: desde n/a hasta &lt;= 5.24."}], "id": "CVE-2026-25029", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:42.577", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kidz/vulnerability/wordpress-kidz-theme-5-24-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.24]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KIDZ", "source": "cna", "vendor": "park_of_ideas"}, "product": "kidz", "vendor": "park_of_ideas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:08:17.360639+00:00", "value": {"mitigation_remediation": ["Update the KIDZ theme to any release newer than\u202f5.24 or apply the vendor\u2011supplied patch as noted in the advisory.", "If an update is not yet possible, deactivate or remove the KIDZ theme from the WordPress installation or replace it with a non\u2011vulnerable alternative.", "Keep the WordPress core and all other plugins at their latest secure versions to reduce overall attack surface.", "Verify that no exposed endpoints accept serialized data; if any exist, sanitize inputs or eliminate those functionalities.", "Monitor server logs for abnormal unserialize activity or signs of exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All releases of the KIDZ theme from the initial version through version\u202f5.24 are affected, regardless of the underlying WordPress core version. The theme, distributed by park_of_ideas and referred to as KIDZ, presents the vulnerability whenever it is present in a WordPress site.", "description_and_impact": "A vulnerability in the park_of_ideas KIDZ WordPress theme allows PHP Object Injection due to deserialization of untrusted data. This flaw, classified as CWE\u2011502, enables an attacker to instantiate arbitrary PHP objects when the theme processes incoming data. When successfully exploited, the attacker can execute arbitrary PHP code on the affected WordPress installation, compromising confidentiality, integrity, and availability of the site.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a critical severity, yet the EPSS score of less than 1\u202f% shows that exploitation is currently rare. The likely attack vector is network\u2011based delivery of a crafted serialized payload to the theme\u2019s processing endpoint. Based on the description, it is inferred that an attacker could transmit malicious data via HTTP requests that trigger PHP\u2019s unserialize function. Successful exploitation would grant remote code execution. Although the vulnerability is not yet listed in CISA\u2019s KEV catalog, its high severity and potential for complete site compromise demand immediate action."}}}}, "created": "2026-03-25T21:34:15.495078+00:00", "updated": "2026-03-27T09:46:10.147968+00:00", "vendors": ["park_of_ideas", "park_of_ideas$PRODUCT$kidz", "wordpress", "wordpress$PRODUCT$wordpress"]}