{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32511", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:05.301Z", "dateUpdated": "2026-04-29T09:52:01.013Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "stal", "product": "St\u00e5l", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "1.7", "status": "unaffected"}], "lessThanOrEqual": "< 1.7", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:40.820Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes St\u00e5l stal allows Object Injection.<p>This issue affects St\u00e5l: from n/a through < 1.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes St\u00e5l stal allows Object Injection.This issue affects St\u00e5l: from n/a through < 1.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.013Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/stal/vulnerability/wordpress-staal-theme-1-7-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress St\u00e5l theme < 1.7 - Arbitrary Object Instantiation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:16:39.185444Z", "id": "CVE-2026-32511", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:18:11.384Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32511", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:16:39.185444Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:16:25.767Z"}}], "cna": {"title": "WordPress St\u00e5l theme < 1.7 - Arbitrary Object Instantiation vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mikado-Themes", "product": "St\u00e5l", "versions": [{"status": "affected", "changes": [{"at": "1.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.7"}], "packageName": "stal", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:40.820Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/stal/vulnerability/wordpress-staal-theme-1-7-arbitrary-object-instantiation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes St\u00e5l stal allows Object Injection.This issue affects St\u00e5l: from n/a through < 1.7.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes St\u00e5l stal allows Object Injection.<p>This issue affects St\u00e5l: from n/a through < 1.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:01.013Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32511", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:01.013Z", "dateReserved": "2026-03-12T11:12:13.806Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:05.301Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Mikado-Themes St\u00e5l stal allows Object Injection.This issue affects St\u00e5l: from n/a through < 1.7."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Mikado-Themes St\u00e5l stal permite la inyecci\u00f3n de objetos. Este problema afecta a St\u00e5l: desde n/a hasta &lt; 1.7."}], "id": "CVE-2026-32511", "lastModified": "2026-04-29T10:17:17.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:03.413", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/stal/vulnerability/wordpress-staal-theme-1-7-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "st\u00e5l", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T22:59:41.507501+00:00", "value": {"mitigation_remediation": ["Verify the currently installed St\u00e5l theme version.", "Update the theme to version 1.7 or later, which removes the insecure deserialization flaw.", "If an update cannot be applied immediately, restrict access to the parts of the theme that deserialize user\u2011supplied data or disable those features until a patch is available.", "Monitor the theme\u2019s official repository for update announcements or security advisories."], "summary": {"action": "Patch Now", "impact": "Insecure Deserialization leading to Object Injection"}, "threat_synthesis": {"affected_systems": "The issue affects the Mikado\u2011Themes St\u00e5l WordPress theme across all versions older than 1.7. In particular, any installation running a version earlier than 1.7 is vulnerable.", "description_and_impact": "The St\u00e5l WordPress theme contains an insecure deserialization flaw that permits attackers to instantiate arbitrary objects. The vulnerability is classified as CWE\u2011502. This flaw can potentially be leveraged to execute unauthorized code or alter the application\u2019s behavior, depending on how the deserialized data is used within the application.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, and the lack of an EPSS score or KEV listing suggests that exploitation is not widely documented at present. Based on the description, the likely attack vector is remote, requiring the attacker to supply malicious serialized data\u2014such as through a form submission or other user input\u2014to trigger the deserialization process. Because no official patch is listed in the provided references, the risk remains until the theme is updated to a fixed version."}}}}, "created": "2026-03-25T21:47:29.078570+00:00", "updated": "2026-03-26T12:12:29.143457+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$st\u00e5l", "wordpress", "wordpress$PRODUCT$wordpress"]}