{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32502", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.663Z", "datePublished": "2026-03-25T16:15:00.990Z", "dateUpdated": "2026-04-29T09:52:00.844Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "borgholm-marketing-agency-theme", "product": "Borgholm", "vendor": "Select-Themes", "versions": [{"changes": [{"at": "1.6", "status": "unaffected"}], "lessThanOrEqual": "< 1.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.713Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.<p>This issue affects Borgholm: from n/a through < 1.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.844Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/borgholm-marketing-agency-theme/vulnerability/wordpress-borgholm-theme-1-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:39:32.089894Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:40:09.212Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:39:32.089894Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:39:54.199Z"}}], "cna": {"title": "WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "Select-Themes", "product": "Borgholm", "versions": [{"status": "affected", "changes": [{"at": "1.6", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.6"}], "packageName": "borgholm-marketing-agency-theme", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:38.713Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/borgholm-marketing-agency-theme/vulnerability/wordpress-borgholm-theme-1-6-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.<p>This issue affects Borgholm: from n/a through < 1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:00.990Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32502", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:40:09.212Z", "dateReserved": "2026-03-12T11:12:07.663Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:00.990Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Select-Themes Borgholm borgholm-marketing-agency-theme permite la inyecci\u00f3n de objetos. Este problema afecta a Borgholm: desde n/a hasta &lt; 1.6."}], "id": "CVE-2026-32502", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:02.217", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/borgholm-marketing-agency-theme/vulnerability/wordpress-borgholm-theme-1-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "borgholm", "vendor": "select-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T17:37:45.255460+00:00", "value": {"mitigation_remediation": ["Upgrade the Borgholm theme to version 1.6 or later"], "summary": {"action": "Immediate Patch", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installs of the WordPress Borgholm marketing\u2011agency theme running any version prior to 1.6. The theme is distributed by Select\u2011Themes under the name Borgholm and is used as a WordPress plugin/theme. The specific product is the Borgholm theme, version range n/a through < 1.6.", "description_and_impact": "The Borgholm theme for WordPress suffers from a deserialization vulnerability that permits PHP Object Injection. An attacker who can supply crafted serialized data to the theme\u2019s code can instantiate objects of classes controlled by the attacker, potentially leading to arbitrary code execution on the web server. The weakness is a classic untrusted deserialization flaw, identified as CWE\u2011502.", "risk_and_exploitability": "The CVSS score of 9.8 highlights a critical severity, and the EPSS score of less than 1% suggests that the public exploitation probability is currently low. The vulnerability is not listed in the CISA KEV catalog, but the potential for remote code execution remains high. From the description, it is inferred that the attack vector is remote via the theme\u2019s handling of user\u2011supplied data, such as form submissions or URL parameters, that are deserialized without validation."}}}}, "created": "2026-03-25T21:47:37.569626+00:00", "updated": "2026-03-27T09:30:59.831665+00:00", "vendors": ["select-themes", "select-themes$PRODUCT$borgholm", "wordpress", "wordpress$PRODUCT$wordpress"]}