CVE-2026-24981
Deserialization Object Injection in NooTheme Visionary Core
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nootheme | visionary_core | to 1.4.9 (inc) |
| nootheme | visionary_core | From 1.0.0 (inc) to 1.4.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24981 is a high-priority PHP Object Injection vulnerability affecting the WordPress Visionary Core Plugin versions up to and including 1.4.9.
This vulnerability allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service, provided a suitable PHP Object Injection POP chain is available.
It is classified under OWASP Top 10 A3: Injection and is exploitable by users with Subscriber or Developer privileges.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to inject malicious code, perform SQL injection, traverse paths to access unauthorized files, and cause denial of service on affected websites.
Because it is exploitable by users with Subscriber or Developer privileges, attackers can leverage this vulnerability to compromise the integrity, confidentiality, and availability of your website.
The vulnerability is considered highly dangerous and likely to be exploited in mass campaigns targeting numerous websites regardless of their traffic or popularity.
Immediate updating to version 1.5.0 or later is strongly advised to mitigate these risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-24981 vulnerability, you should immediately update the Visionary Core Plugin to version 1.5.0 or later, where the vulnerability has been patched.
Until the update is applied, you can use Patchstack's automatic mitigation rule to block attacks targeting this vulnerability.
It is also recommended to consult your hosting provider or developers for further assistance and consider enabling auto-update options for the vulnerable plugin.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-24981 is a high-priority PHP Object Injection vulnerability that allows attackers to perform malicious actions such as code injection, SQL injection, path traversal, and denial of service. Such attacks can lead to unauthorized access, data breaches, or data manipulation.
These consequences can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Therefore, if exploited, this vulnerability could lead to violations of these regulations due to potential data exposure or compromise.
Mitigation by updating the Visionary Core Plugin to version 1.5.0 or later is strongly advised to maintain compliance and reduce risk.