CVE-2026-25359
Received Received - Intake
Deserialization Object Injection in Pendulum

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25359
EUVD
EUVD-2026-15681
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pendulum pendulum to 3.1.5 (exc)
patchstack pendulum to 3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25359 is a high-priority PHP Object Injection vulnerability found in the WordPress Pendulum Theme versions prior to 3.1.5.

This vulnerability arises from deserialization of untrusted data, allowing attackers to inject malicious PHP objects.

Exploitation requires only subscriber or developer privileges and can lead to various malicious actions if a suitable PHP Object Injection (POP) chain is available.

Impact Analysis

This vulnerability can have severe impacts including code injection, SQL injection, path traversal, and denial of service attacks.

Attackers exploiting this vulnerability can execute arbitrary code or manipulate the system, potentially compromising the security and availability of the affected website.

Due to its high severity and potential for mass exploitation, it poses a significant risk to affected users.

Detection Guidance

This vulnerability affects the Pendulum WordPress theme versions prior to 3.1.5 and involves PHP Object Injection. Detection typically involves identifying if the vulnerable theme version is in use and monitoring for suspicious activity related to object injection attempts.

Since the vulnerability requires subscriber or developer privileges to exploit, checking the installed theme version can be done via WordPress admin or command line.

  • Use WP-CLI to check the installed theme version: wp theme list --status=active
  • Inspect web server logs for unusual POST requests or payloads that may indicate PHP Object Injection attempts.
  • Use intrusion detection systems or web application firewalls with rules targeting this vulnerability (such as the mitigation rule provided by Patchstack) to detect exploit attempts.
Mitigation Strategies

The most effective immediate step is to update the Pendulum WordPress theme to version 3.1.5 or later, which contains the patch for this vulnerability.

If updating immediately is not possible, applying mitigation rules provided by Patchstack to block attacks targeting this vulnerability is strongly recommended.

Consulting with hosting providers or web developers for assistance in applying temporary mitigations or monitoring is advised.

Compliance Impact

The provided information does not specify how the CVE-2026-25359 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25359. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart