CVE-2026-32509 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

Vendors	Products
Edge-themes Subscribe	Gracey Subscribe
Wordpress Subscribe	Wordpress Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Edge-themes Subscribe	Gracey Subscribe
Wordpress Subscribe	Wordpress Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/gracey/vulnerability/wordpress-gracey-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Edge-themes Edge-themes gracey Wordpress Wordpress wordpress
Vendors & Products		Edge-themes Edge-themes gracey Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4.
Title		WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/Wordpress/Theme/gracey/vulnerability/wordpress-gracey-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:15:04.245Z

Updated: 2026-03-26T13:33:35.628Z

Reserved: 2026-03-12T11:12:13.806Z

Link: CVE-2026-32509

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:17:03.140

Modified: 2026-03-25T17:17:03.140

Link: CVE-2026-32509

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:35:23Z

Weaknesses

CWE-502

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32509", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:13.806Z", "datePublished": "2026-03-25T16:15:04.245Z", "dateUpdated": "2026-03-26T13:33:35.628Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "gracey", "product": "Gracey", "vendor": "Edge-Themes", "versions": [{"changes": [{"at": "1.4", "status": "unaffected"}], "lessThanOrEqual": "< 1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:40.076Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.<p>This issue affects Gracey: from n/a through < 1.4.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:04.245Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/gracey/vulnerability/wordpress-gracey-theme-1-4-arbitrary-object-instantiation-vulnerability?_s_id=cve"}], "title": "WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:32:47.338220Z", "id": "CVE-2026-32509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:33:35.628Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "1.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Gracey", "source": "cna", "vendor": "Edge-Themes"}, "product": "gracey", "vendor": "edge-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:21:31.930817+00:00", "value": {"mitigation_remediation": ["Update the Gracey theme to version 1.4 or later, which removes the deserialization weakness.", "If an upgrade is not immediately possible, disable or uninstall the Gracey theme from the WordPress site.", "Verify that any data passed to PHP's unserialize function is properly validated or sanitized.", "Monitor web server and application logs for attempts to inject serialized data or unexpected object instantiations.", "Consider deploying security plugins that inspect or block serialized data to reduce exploitation risk."], "summary": {"action": "Immediate Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the Edge\u2011Themes Gracey theme with a version less than 1.4 are affected. All releases up to, but not including, 1.4 contain the flaw, so any site running those versions is susceptible.", "description_and_impact": "The Gracey theme deserializes data from untrusted sources, enabling an attacker to inject arbitrary PHP object instances. This object injection flaw could allow modification of application flow or execution of unintended code. The vulnerability is classified as CWE\u2011502, a deserialization of untrusted data weakness.", "risk_and_exploitability": "Because the flaw involves unserialization of external input, attackers may craft a serialized payload and submit it through a form or URL that the theme processes. The CVSS score is not provided, and the EPSS score is unavailable, so the probability of exploitation is unclear. The CVE does not explicitly state that remote code execution is achieved, but it is inferred that malicious object instantiation could lead to that outcome if used with later application logic; therefore the risk is considered significant until mitigated."}}}}, "created": "2026-03-25T21:47:31.057461+00:00", "updated": "2026-03-26T11:35:23.716782+00:00", "vendors": ["edge-themes", "edge-themes$PRODUCT$gracey", "wordpress", "wordpress$PRODUCT$wordpress"]}