{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25359", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-03-25T16:14:45.178Z", "dateUpdated": "2026-03-25T16:14:45.178Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "pendulum", "product": "Pendulum", "vendor": "rascals", "versions": [{"changes": [{"at": "3.1.5", "status": "unaffected"}], "lessThanOrEqual": "< 3.1.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:25.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.<p>This issue affects Pendulum: from n/a through < 3.1.5.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:45.178Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/pendulum/vulnerability/wordpress-pendulum-theme-3-1-5-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5."}], "id": "CVE-2026-25359", "lastModified": "2026-03-25T17:16:47.010", "metrics": {}, "published": "2026-03-25T17:16:47.010", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/pendulum/vulnerability/wordpress-pendulum-theme-3-1-5-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:50:31.960541+00:00", "value": {"mitigation_remediation": ["Update the Pendulum theme to version 3.1.5 or newer."], "summary": {"action": "Patch", "impact": "Remote Code Execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that uses the rascals Pendulum theme with a version earlier than 3.1.5 is vulnerable. This includes all releases from the theme's initial version up to, but not including, 3.1.5. Sites employing custom or legacy builds of the theme are also at risk until an update is applied.", "description_and_impact": "The Pendulum WordPress theme contains a deserialization flaw that permits untrusted data to be processed, enabling PHP Object Injection. This weakness, identified as CWE-502, allows an attacker to craft a serialized payload that can instantiate arbitrary PHP objects. If exploited, the target site could experience unauthorized code execution, data alteration, or complete control over the WordPress installation, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The vulnerability appears to be exploitable without authentication, as the description indicates that untrusted data is deserialized by the theme. The likely attack vector is remote via web requests that trigger the deserialization routine. Although specific CVSS metrics are not published, the potential for remote code execution and the lack of requirement for privileged access imply a high likelihood of exploitation. The lack of an EPSS score and absence from the KEV catalog suggests a moderate to high risk based on the known weakness type and typical severity of such vulnerabilities."}}}}, "created": "2026-03-25T21:44:53.957798+00:00", "updated": "2026-03-25T21:44:53.957825+00:00", "vendors": []}