{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27439", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:52:39.682Z", "datePublished": "2026-03-05T05:54:02.747Z", "dateUpdated": "2026-04-28T16:15:03.183Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "dentario", "product": "Dentario", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:25.326Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.<p>This issue affects Dentario: from n/a through <= 1.5.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.183Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/dentario/vulnerability/wordpress-dentario-theme-1-5-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Dentario theme <= 1.5 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T18:43:42.649342Z", "id": "CVE-2026-27439", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:08:08.751Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27439", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:52:39.682Z", "datePublished": "2026-03-05T05:54:02.747Z", "dateUpdated": "2026-04-28T16:08:08.751Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "dentario", "product": "Dentario", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:27:20.959Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.<p>This issue affects Dentario: from n/a through <= 1.5.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:52.328Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/dentario/vulnerability/wordpress-dentario-theme-1-5-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Dentario theme <= 1.5 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27439", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T18:43:42.649342Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T18:43:30.343Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Dentario dentario permite la inyecci\u00f3n de objetos. Este problema afecta a Dentario: desde n/d hasta &lt;= 1.5."}], "id": "CVE-2026-27439", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:29.810", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/dentario/vulnerability/wordpress-dentario-theme-1-5-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Dentario", "source": "cna", "vendor": "ThemeREX"}, "product": "dentario", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:28:25.927268+00:00", "value": {"mitigation_remediation": ["Upgrade Dentario to the latest version (any release newer than 1.5) where the insecure deserialization issue has been fixed.", "If an update is unavailable, disable or replace the Dentario theme until a patched version is released to prevent the vulnerable code from executing.", "Restrict access to WordPress admin and any AJAX endpoints used by the theme to trusted users or IP ranges, and validate or sanitize all external input before serialization to mitigate the risk of object injection."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All WordPress installations that have the ThemeREX Dentario theme version 1.5 or earlier. The issue applies across every variant of the theme used in the public or private sites that have not applied the update past version 1.5.", "description_and_impact": "Deserialization of untrusted data in the Dentario theme allows PHP object injection, a form of insecure deserialization that can enable remote code execution and full compromise of the affected WordPress site. The vulnerability is identified as CWE\u2011502 and satisfies the criteria for critical severity due to the ability to execute arbitrary code on the web server with the privileges of the web application. Exploiting this flaw would grant attackers control over the file system, database, and WordPress installation, potentially facilitating credential theft, defacement, or serving malware to site visitors.", "risk_and_exploitability": "The CVSS score of 9.8 marks this vulnerability as critical, and although the EPSS score is below 1\u202f%\u2014indicating a low probability of mass exploitation\u2014it remains a high\u2011risk target for determined adversaries. The attack vector can be inferred as a remote request that triggers the theme\u2019s deserialization logic, such as a crafted POST or GET payload to an admin or AJAX endpoint. Since the vulnerability is not listed in the CISA KEV catalog, there is currently no confirmed exploitation activity, but the potential for undisclosed or future attacks exists."}}}}, "created": "2026-03-06T15:11:58.942858+00:00", "updated": "2026-04-15T23:30:17.203206+00:00", "vendors": ["themerex", "themerex$PRODUCT$dentario", "wordpress", "wordpress$PRODUCT$wordpress"]}