CVE-2026-24976
Received Received - Intake
Deserialization Object Injection in NooTheme Organici Library

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24976
EUVD
EUVD-2026-15592
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nootheme organici_library to 2.1.2 (inc)
noo_theme noo_organici_library From 0.0.0 (inc) to 2.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24976 is a high-priority PHP Object Injection vulnerability found in the WordPress Organici Library Plugin versions up to 2.1.2.

This vulnerability allows attackers to inject malicious PHP objects, which can lead to various harmful actions such as code injection, SQL injection, path traversal, and denial of service.

The issue arises from deserialization of untrusted data, enabling attackers to exploit the plugin if they have subscriber or developer privileges.

Impact Analysis

Exploitation of this vulnerability can result in severe impacts including unauthorized code execution, database compromise through SQL injection, unauthorized file system access via path traversal, and service disruption through denial of service attacks.

Because it can be exploited in mass campaigns targeting many websites regardless of their traffic or popularity, it poses a significant risk to affected sites.

Attackers only need subscriber or developer privileges to exploit this vulnerability, making it easier for them to cause damage.

Detection Guidance

The CVE-2026-24976 vulnerability is a PHP Object Injection flaw in the WordPress Organici Library Plugin versions up to 2.1.2. Detection typically involves monitoring for exploit attempts targeting this plugin, especially those attempting PHP Object Injection payloads.

While specific commands are not provided in the resources, users can look for suspicious HTTP requests containing serialized PHP objects or unusual payloads targeting the Organici Library Plugin endpoints.

Additionally, applying security tools or rules from Patchstack that block attacks targeting this vulnerability can help detect and prevent exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the Organici Library Plugin to version 2.1.3 or later, which contains the patch resolving this PHP Object Injection vulnerability.

Until the update can be applied, users are advised to implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Users may also seek assistance from their hosting provider or web developer to apply these mitigations and ensure continuous protection.

Compliance Impact

The CVE-2026-24976 vulnerability allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service. These actions can lead to unauthorized access, data breaches, or disruption of services.

Such security incidents can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, as well as maintaining system integrity and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart