{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27338", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:35.296Z", "datePublished": "2026-03-05T05:53:51.887Z", "dateUpdated": "2026-04-28T16:15:02.036Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "carzone", "product": "Car Zone", "vendor": "AivahThemes", "versions": [{"lessThanOrEqual": "3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:27.505Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.<p>This issue affects Car Zone: from n/a through <= 3.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.036Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/carzone/vulnerability/wordpress-car-zone-theme-3-7-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "title": "WordPress Car Zone theme <= 3.7 - Deserialization of untrusted data vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T18:38:05.386057Z", "id": "CVE-2026-27338", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:58:15.793Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27338", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T18:38:05.386057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:36:10.610Z"}}], "cna": {"title": "WordPress Car Zone theme <= 3.7 - Deserialization of untrusted data vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AivahThemes", "product": "Car Zone", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.7"}], "packageName": "carzone", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:27:08.641Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/carzone/vulnerability/wordpress-car-zone-theme-3-7-deserialization-of-untrusted-data-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.<p>This issue affects Car Zone: from n/a through <= 3.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:51.610Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27338", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:58:15.793Z", "dateReserved": "2026-02-19T09:51:35.296Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:51.887Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en AivahThemes Car Zone carzone permite la inyecci\u00f3n de objetos. Este problema afecta a Car Zone: desde n/a hasta &lt;= 3.7."}], "id": "CVE-2026-27338", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:24.367", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/carzone/vulnerability/wordpress-car-zone-theme-3-7-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Car Zone", "source": "cna", "vendor": "AivahThemes"}, "product": "car_zone", "vendor": "aivahthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:41:52.853959+00:00", "value": {"mitigation_remediation": ["Upgrade the Car Zone theme to the latest released version (3.8 or newer) once available to eliminate the deserialization flaw.", "If an upgrade is not yet available, deactivate or remove the Car Zone theme from the WordPress installation to prevent exploitation.", "Implement strict input validation for any serialized data that the theme processes, ensuring only trusted sources are allowed.", "Monitor web application logs for suspicious deserialization attempts and block anomalous traffic."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected installations are those using AivahThemes Car Zone theme version 3.7 and older. All releases from the earliest available version through 3.7 are susceptible. Administrators should verify the theme version and update or replace it.", "description_and_impact": "The vulnerability lies in the WordPress Car Zone theme's handling of serialized data. Deserialization of untrusted data allows an attacker to inject malicious objects, potentially resulting in remote code execution or privilege escalation. This flaw is identified as a CWE\u2011502 deserialization weakness.", "risk_and_exploitability": "The CVSS base score of 8.8 indicates a high severity impact. The EPSS score of less than 1% suggests a low likelihood of current exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves submitting crafted serialized payloads to the theme, which could be achieved via HTTP requests or administrative interfaces. Due to the high potential consequence, monitoring for anomalous requests and applying mitigations is recommended."}}}}, "created": "2026-03-06T15:13:37.934122+00:00", "updated": "2026-04-15T23:45:05.933173+00:00", "vendors": ["aivahthemes", "aivahthemes$PRODUCT$car_zone", "wordpress", "wordpress$PRODUCT$wordpress"]}