{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23971", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-19T16:14:52.936Z", "datePublished": "2026-03-25T16:14:29.883Z", "dateUpdated": "2026-03-25T16:14:29.883Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "woodmart", "product": "WoodMart", "vendor": "xtemos", "versions": [{"changes": [{"at": "8.3.9", "status": "unaffected"}], "lessThanOrEqual": "<= 8.3.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:12.904Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.<p>This issue affects WoodMart: from n/a through <= 8.3.8.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:29.883Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-8-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress WoodMart theme <= 8.3.8 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8."}], "id": "CVE-2026-23971", "lastModified": "2026-03-25T17:16:36.143", "metrics": {}, "published": "2026-03-25T17:16:36.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-8-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:47:02.274876+00:00", "value": {"mitigation_remediation": ["Update the WoodMart theme to version 8.4 or later, where the deserialization issue has been fixed.", "If an update cannot be performed immediately, consider disabling the WoodMart theme or reverting to a previous stable theme to eliminate the vulnerable code path.", "Verify that all theme files have not been tampered and that no legacy exploit code remains.", "Monitor log files for signs of unusual deserialization activity and keep the WordPress core, plugins, and all themes up to date."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the xtemos WoodMart theme for WordPress in all releases from the earliest version up to and including 8.3.8. No later versions were specifically mentioned as receiving the fix.", "description_and_impact": "The vulnerability arises from deserialization of untrusted data in the WoodMart WordPress theme, allowing PHP object injection. An attacker who can provide malicious payloads during the deserialization process can manipulate the object graph and potentially achieve remote code execution within the context of the web application.", "risk_and_exploitability": "The potential impact is high, as remote code execution would grant an attacker full control over the site. No CVSS score is supplied and the EPSS score is not available, making it difficult to gauge exploitation likelihood precisely; however, PHP object injection is a well\u2011known vector that attackers frequently target. The vulnerability is not listed as a known exploited vulnerability by CISA, but the absence of mitigation data does not reduce the need for immediate attention."}}}}, "created": "2026-03-25T21:34:58.489279+00:00", "updated": "2026-03-25T21:34:58.489306+00:00", "vendors": []}