{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28105", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:02.974Z", "datePublished": "2026-03-05T05:54:26.592Z", "dateUpdated": "2026-04-28T17:44:45.609Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "goodenergy", "product": "Good Energy", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.7.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:46.375Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.<p>This issue affects Good Energy: from n/a through <= 1.7.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.760Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/goodenergy/vulnerability/wordpress-good-energy-theme-1-7-7-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Good Energy theme <= 1.7.7 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T17:05:19.121733Z", "id": "CVE-2026-28105", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:44:45.609Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-28105", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T17:05:19.121733Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T17:04:01.189Z"}}], "cna": {"title": "WordPress Good Energy theme <= 1.7.7 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "ThemeREX", "product": "Good Energy", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.7"}], "packageName": "goodenergy", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:00.187Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/goodenergy/vulnerability/wordpress-good-energy-theme-1-7-7-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.<p>This issue affects Good Energy: from n/a through <= 1.7.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:15:43.627Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28105", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:15:43.627Z", "dateReserved": "2026-02-25T12:14:02.974Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:26.592Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Good Energy goodenergy permite la inyecci\u00f3n de objetos. Este problema afecta a Good Energy: desde n/a hasta &lt;= 1.7.7."}], "id": "CVE-2026-28105", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:45.047", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/goodenergy/vulnerability/wordpress-good-energy-theme-1-7-7-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Good Energy", "source": "cna", "vendor": "ThemeREX"}, "product": "good_energy", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:00:28.335127+00:00", "value": {"mitigation_remediation": ["Upgrade the Good Energy theme to the latest version (\u22651.7.8) or later, which removes the vulnerable deserialization logic.", "If upgrading is not immediately possible, deactivate or delete the Good Energy theme to eliminate the attack surface.", "Implement strict input validation for any data deserialized by the theme and configure a Web Application Firewall to block suspicious serialized payloads."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Good Energy theme by ThemeREX, affecting all installations from the earliest available version through version 1.7.7. Any WordPress deployment using this theme is potentially exposed.", "description_and_impact": "Deserialization of untrusted data in the ThemeREX Good Energy theme allows PHP Object Injection, which can be leveraged by an attacker to execute arbitrary code on the affected WordPress site. The flaw arises from processing untrusted serialized input without adequate validation, exposing the site to severe confidentiality, integrity, and availability risks.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating critical severity. Although its EPSS score is below 1%, the high severity and the nature of the vulnerability make it an attractive target for attackers once access to the theme\u2019s serialization endpoint is discovered. The vulnerability is not listed in the CISA KEV catalog but remains a high\u2011risk threat. The likely attack vector is via crafted HTTP requests that supply malicious serialized payloads to the theme\u2019s deserialization processing code; the attacker can inject objects that execute arbitrary PHP code. A successful exploitation would grant the attacker full control over the affected web server."}}}}, "created": "2026-03-06T15:08:31.707740+00:00", "updated": "2026-04-15T20:15:13.699001+00:00", "vendors": ["themerex", "themerex$PRODUCT$good_energy", "wordpress", "wordpress$PRODUCT$wordpress"]}