{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25358", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:44.886Z", "dateUpdated": "2026-04-28T16:14:56.706Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "meloo", "product": "Meloo", "vendor": "rascals", "versions": [{"changes": [{"at": "2.8.2", "status": "unaffected"}], "lessThanOrEqual": "2.8.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:34.242Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.<p>This issue affects Meloo: from n/a through < 2.8.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.706Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/meloo/vulnerability/wordpress-meloo-theme-2-8-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:42:24.434556Z", "id": "CVE-2026-25358", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T01:34:39.675Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:42:24.434556Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:42:34.452Z"}}], "cna": {"title": "WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "rascals", "product": "Meloo", "versions": [{"status": "affected", "changes": [{"at": "2.8.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.8.2"}], "packageName": "meloo", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:34.242Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/meloo/vulnerability/wordpress-meloo-theme-2-8-2-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.<p>This issue affects Meloo: from n/a through < 2.8.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:09.183Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25358", "state": "PUBLISHED", "dateUpdated": "2026-04-28T01:34:39.675Z", "dateReserved": "2026-02-02T12:52:48.541Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:44.886Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en rascals Meloo meloo permite la inyecci\u00f3n de objetos. Este problema afecta a Meloo: desde n/a hasta &lt; 2.8.2."}], "id": "CVE-2026-25358", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:46.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/meloo/vulnerability/wordpress-meloo-theme-2-8-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.8.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[2.8.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Meloo", "source": "cna", "vendor": "rascals"}, "product": "meloo", "vendor": "rascals"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T19:08:02.815529+00:00", "value": {"mitigation_remediation": ["Update the Meloo theme to version\u202f2.8.2 or later.", "If an update cannot be performed immediately, deactivate or remove the theme and switch to a safe default theme such as Twenty\u202fTwenty\u2011Three.", "Examine any custom code or third\u2011party plugins that may invoke unserialize with untrusted data and eliminate or protect those calls.", "Deploy a Web Application Firewall to detect and block malicious serialized payloads.", "Regularly monitor server logs and perform security scans for signs of exploitation attempts."], "summary": {"action": "Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "All installations of the Meloo theme built by rascals that are earlier than version 2.8.2 are affected. The flaw exists regardless of the WordPress core version or other plugins installed. Any WordPress website that has deployed a vulnerable instance of the theme is therefore at risk.", "description_and_impact": "The vulnerability in the Meloo WordPress theme permits the injection of malformed serialized data. When the theme processes this data using PHP\u2019s unserialize routine, it creates PHP objects controlled by the attacker, which may lead to unauthorized actions within the application.", "risk_and_exploitability": "The CVSS score of 8.8 signals a severe potential impact, while the EPSS score below 1% indicates that active exploitation is currently rare and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack avenue involves envi\u200bring the crafted serialized payload to the theme\u2019s processing endpoint over the network, as the vulnerability is tied to the deserialization of untrusted data in a web context. The high severity score means that successful exploitation could grant considerable control if mitigations are missing, but the low probability of exploitation suggests that monitoring and preventive measures remain the most prudent approach."}}}}, "created": "2026-03-25T21:44:54.886620+00:00", "updated": "2026-03-27T09:45:57.721024+00:00", "vendors": ["rascals", "rascals$PRODUCT$meloo", "wordpress", "wordpress$PRODUCT$wordpress"]}