{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28074", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:47.059Z", "datePublished": "2026-03-05T05:54:20.932Z", "dateUpdated": "2026-04-28T17:40:15.760Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pizzahouse", "product": "Pizza House", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.4.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:52.649Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.<p>This issue affects Pizza House: from n/a through <= 1.4.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.702Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pizzahouse/vulnerability/wordpress-pizza-house-theme-1-4-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Pizza House theme <= 1.4.0 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T20:38:41.100983Z", "id": "CVE-2026-28074", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:40:15.760Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28074", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T20:38:41.100983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T20:37:48.284Z"}}], "cna": {"title": "WordPress Pizza House theme <= 1.4.0 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Pizza House", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.0"}], "packageName": "pizzahouse", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:52.649Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/pizzahouse/vulnerability/wordpress-pizza-house-theme-1-4-0-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.<p>This issue affects Pizza House: from n/a through <= 1.4.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:06.702Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28074", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:40:15.760Z", "dateReserved": "2026-02-25T12:13:47.059Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:20.932Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Pizza House pizzahouse permite la inyecci\u00f3n de objetos. Este problema afecta a Pizza House: desde n/a hasta &lt;= 1.4.0."}], "id": "CVE-2026-28074", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:41.307", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/pizzahouse/vulnerability/wordpress-pizza-house-theme-1-4-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pizza House", "source": "cna", "vendor": "ThemeREX"}, "product": "pizza_house", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:54:07.594397+00:00", "value": {"mitigation_remediation": ["Upgrade ThemeREX Pizza House theme to the latest available version, if a newer release exists.", "If an upgrade is not immediately possible, deactivate the theme or replace it with a secure alternative to prevent untrusted serialized data from being processed.", "As a temporary measure, restrict or block all endpoints that allow the theme to receive serialized input, such as its admin panels, and configure WordPress to sanitize or reject such data."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of the ThemeREX Pizza House theme version 1.4.0 and earlier are affected. The vulnerability applies to the ThemeREX Pizza House theme, which is distributed under the ThemeREX vendor. The issue is relevant to any WordPress site that has chosen this theme, regardless of its versioning prior to 1.4.0.", "description_and_impact": "The flaw is a PHP Object Injection that occurs when the theme deserializes data supplied by an attacker. Because the data is not trusted, it can cause arbitrary objects to be instantiated and subsequently executed, potentially allowing an attacker to run arbitrary code. The vulnerability is classified as CWE-502, reflecting unsafe handling of serialized data, and is rated with a CVSS score of 9.8, indicating a critical risk.", "risk_and_exploitability": "The CVSS score of 9.8 sharply increases the severity, while the EPSS score of less than 1% suggests the probability of exploitation remains low but non\u2011zero. The vulnerability is not in the CISA KEV catalog, implying no known widespread exploitation at this time. Based on the description, it is inferred that an attacker can exploit the flaw by sending a malicious serialized string to the theme\u2019s processing routine, which can result in arbitrary code execution. The likely attack vector is remote, requiring the attacker to supply the vulnerable serialized data to the theme. The consequences of a successful exploit include full code execution privileges on the affected WordPress site."}}}}, "created": "2026-03-06T15:08:55.424806+00:00", "updated": "2026-04-16T05:00:09.673279+00:00", "vendors": ["themerex", "themerex$PRODUCT$pizza_house", "wordpress", "wordpress$PRODUCT$wordpress"]}