CVE-2026-24981
Received Received - Intake
Deserialization Object Injection in NooTheme Visionary Core

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24981
EUVD
EUVD-2026-15602
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nootheme visionary_core to 1.4.9 (inc)
nootheme visionary_core From 1.0.0 (inc) to 1.4.9 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24981 is a high-priority PHP Object Injection vulnerability affecting the WordPress Visionary Core Plugin versions up to and including 1.4.9.

This vulnerability allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service, provided a suitable PHP Object Injection POP chain is available.

It is classified under OWASP Top 10 A3: Injection and is exploitable by users with Subscriber or Developer privileges.

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to inject malicious code, perform SQL injection, traverse paths to access unauthorized files, and cause denial of service on affected websites.

Because it is exploitable by users with Subscriber or Developer privileges, attackers can leverage this vulnerability to compromise the integrity, confidentiality, and availability of your website.

The vulnerability is considered highly dangerous and likely to be exploited in mass campaigns targeting numerous websites regardless of their traffic or popularity.

Immediate updating to version 1.5.0 or later is strongly advised to mitigate these risks.

Detection Guidance

The provided resources do not include specific commands or methods to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate the CVE-2026-24981 vulnerability, you should immediately update the Visionary Core Plugin to version 1.5.0 or later, where the vulnerability has been patched.

Until the update is applied, you can use Patchstack's automatic mitigation rule to block attacks targeting this vulnerability.

It is also recommended to consult your hosting provider or developers for further assistance and consider enabling auto-update options for the vulnerable plugin.

Compliance Impact

CVE-2026-24981 is a high-priority PHP Object Injection vulnerability that allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service. Such attacks can lead to unauthorized access, data breaches, or data manipulation.

These consequences can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could lead to violations of these regulations due to potential data exposure or compromise.

Mitigation by updating the Visionary Core Plugin to version 1.5.0 or later is strongly advised to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart