CVE-2026-24974
Deserialization Object Injection in NooTheme CitiLights
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nootheme | citi_lights | to 3.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-24974 vulnerability allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service. Such attacks can lead to unauthorized access, data breaches, or data manipulation, which may result in non-compliance with common standards and regulations like GDPR and HIPAA that require protection of sensitive data and maintaining system integrity.
Because this vulnerability enables exploitation that could compromise data confidentiality and integrity, organizations using the affected CitiLights theme without patching may face increased risk of violating data protection regulations, potentially leading to legal and financial consequences.
Mitigation by updating to version 3.7.2 or later is critical to maintain compliance and reduce the risk of exploitation.
Can you explain this vulnerability to me?
CVE-2026-24974 is a high-priority PHP Object Injection vulnerability found in the WordPress CitiLights Theme versions up to and including 3.7.1.
This vulnerability allows attackers to inject malicious objects into the application, which can lead to various harmful actions such as code injection, SQL injection, path traversal, and denial of service, provided a suitable PHP Object Injection (POP) chain is present.
It is classified under the OWASP Top 10 category A3: Injection and specifically identified as PHP Object Injection.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to perform malicious actions such as executing arbitrary code, manipulating the database through SQL injection, accessing unauthorized files via path traversal, and causing denial of service conditions.
These impacts can compromise the security, integrity, and availability of your website running the vulnerable CitiLights theme.
The vulnerability has a CVSS score of 8.8, indicating a severe risk and a high likelihood of exploitation in widespread attack campaigns.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-24974 vulnerability is a PHP Object Injection flaw in the WordPress CitiLights Theme up to version 3.7.1. Detection typically involves monitoring for exploitation attempts that may include malicious payloads targeting PHP object injection.
While specific commands are not provided in the available resources, it is recommended to monitor web server logs for unusual POST or GET requests containing serialized PHP objects or suspicious payloads that could trigger object injection.
Additionally, applying Patchstack's mitigation rule can help block exploitation attempts, which may also provide logging or alerting features to detect attack attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the CitiLights WordPress Theme to version 3.7.2 or later, which contains the patch resolving this vulnerability.
Until the update can be applied, it is recommended to implement the mitigation rule provided by Patchstack to block exploitation attempts and provide the fastest protection against attacks.
If you are unable to update the theme yourself, consult your hosting provider or web developer to assist with applying the update or mitigation.