{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25449", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:47.193Z", "datePublished": "2026-03-18T13:12:25.884Z", "dateUpdated": "2026-04-01T16:00:42.820Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "traveler", "product": "Traveler", "vendor": "shinetheme", "versions": [{"changes": [{"at": "3.2.8.1", "status": "unaffected"}], "lessThanOrEqual": "3.2.8.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:01.852Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.<p>This issue affects Traveler: from n/a through < 3.2.8.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T16:00:42.820Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T20:03:26.995592Z", "id": "CVE-2026-25449", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:15:56.526Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25449", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T20:03:26.995592Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:03:33.352Z"}}], "cna": {"title": "WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Phat RiO - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Shinetheme", "product": "Traveler", "versions": [{"status": "affected", "changes": [{"at": "3.2.8.1", "status": "unaffected"}], "version": "n/a", "lessThan": "3.2.8.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Traveler theme to the latest available version (at least 3.2.8.1).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Traveler theme to the latest available version (at least 3.2.8.1).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.This issue affects Traveler: from n/a before 3.2.8.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Shinetheme Traveler allows Object Injection.<p>This issue affects Traveler: from n/a before 3.2.8.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-18T13:20:25.978Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25449", "state": "PUBLISHED", "dateUpdated": "2026-03-18T20:15:56.526Z", "dateReserved": "2026-02-02T12:53:47.193Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-18T13:12:25.884Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Shinetheme Traveler permite la inyecci\u00f3n de objetos. Este problema afecta a Traveler: desde n/a antes de 3.2.8.1."}], "id": "CVE-2026-25449", "lastModified": "2026-04-01T17:28:36.030", "metrics": {}, "published": "2026-03-18T14:16:39.297", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.2.8.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Traveler", "source": "cna", "vendor": "Shinetheme"}, "product": "traveler", "vendor": "shinetheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T14:50:31.530150+00:00", "value": {"mitigation_remediation": ["Update the WordPress Traveler theme to version 3.2.8.1 or later."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Shinetheme Traveler theme for WordPress, any version prior to 3.2.8.1. No specific revision is listed; all releases before the stated version are vulnerable.", "description_and_impact": "The vulnerability is a deserialization of untrusted data in the WordPress Traveler theme that permits PHP Object Injection. This flaw can potentially allow an attacker to create arbitrary PHP objects, leading to remote code execution or other malicious actions. It is identified as CWE-502.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, indicating a high severity. While the EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, it remains a critical risk due to the potential for remote code execution. The likely attack vector is remote through crafted serialized input sent within an HTTP request to the theme; this inference is based on the nature of PHP object injection vulnerabilities."}}}}, "created": "2026-03-19T08:56:38.761251+00:00", "updated": "2026-03-24T10:58:46.396028+00:00", "vendors": ["shinetheme", "shinetheme$PRODUCT$traveler", "wordpress", "wordpress$PRODUCT$wordpress"]}