{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25031", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.375Z", "dateUpdated": "2026-03-25T16:14:38.375Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "tastydaily", "product": "Tasty Daily", "vendor": "park_of_ideas", "versions": [{"changes": [{"at": "1.27", "status": "unaffected"}], "lessThanOrEqual": "< 1.27", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.146Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.<p>This issue affects Tasty Daily: from n/a through < 1.27.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.375Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Tasty Daily theme < 1.27 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27."}], "id": "CVE-2026-25031", "lastModified": "2026-03-25T17:16:42.837", "metrics": {}, "published": "2026-03-25T17:16:42.837", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:11:31.314954+00:00", "value": {"mitigation_remediation": ["Upgrade the Tasty Daily theme to version 1.27 or later; this version removes the vulnerable deserialization logic. If an upgrade is not immediately feasible, deactivate or remove the theme to prevent attack surface exposure. Check the plugin\u2019s official support channel or the vendor\u2019s website for any interim security advisories or temporary workarounds."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations using the Tasty Daily theme version 1.26 and earlier are known to be affected. The vendor, park_of_ideas, does not provide a specific affected-version range other than all releases prior to 1.27. Users running any older version of this theme should verify their current version and update accordingly.", "description_and_impact": "The Tasty Daily theme for WordPress contains a deserialization vulnerability that permits untrusted data to be processed as PHP objects, allowing an attacker to inject malicious objects into the application. This flaw is classified as CWE-502, which can provide attackers with the ability to alter program execution and potentially gain full control of the affected server. If exploited, the attacker can execute arbitrary code, compromise site data, and disrupt normal operations.", "risk_and_exploitability": "No CVSS or EPSS score is listed for this vulnerability, and the asset is not in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves the theme\u2019s handling of serialized data, which could be triggered via web forms, plugin settings, or other input points that the theme processes. Because the flaw permits object injection, exploitation requires an attacker to craft a malicious payload and deliver it to a vulnerable input channel, after which the server will instantiate the injected object and execute its code. The absence of publicly available exploit proofs and a lack of documented exploits suggests that while the vulnerability is potentially high impact, its exploitation may currently require some effort to identify the precise input vector and construct a valid payload."}}}}, "created": "2026-03-25T21:34:13.574808+00:00", "updated": "2026-03-25T21:34:13.574875+00:00", "vendors": []}