CVE-2026-32512
Deserialization Object Injection in Pelicula Theme Allows Code Execution
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edge-themes | pelicula | to 1.10 (exc) |
| patchstack | pelicula_video_production_and_movie_theme | to 1.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32512 is a high-priority PHP Object Injection vulnerability found in the WordPress Pelicula Theme versions prior to 1.10.
This vulnerability allows unauthenticated attackers to perform PHP Object Injection, which means they can inject malicious objects into the application.
If a suitable Property Oriented Programming (POP) chain is available, attackers can exploit this to execute remote code, perform SQL injection, path traversal, denial of service, and other attacks.
The vulnerability falls under the OWASP Top 10 category A3: Injection and was patched in version 1.10 of the Pelicula Theme.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution, which allows attackers to run arbitrary code on your server.
It can also lead to SQL injection, enabling attackers to manipulate or steal data from your database.
Other possible impacts include path traversal, which can expose sensitive files, and denial of service attacks that can disrupt your website's availability.
Because it is exploitable by unauthenticated attackers and is expected to be widely targeted, it poses a critical risk to websites using vulnerable versions of the Pelicula Theme.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability affects WordPress Pelicula Theme versions prior to 1.10 and involves PHP Object Injection. Detection typically involves identifying if the vulnerable theme version is in use and monitoring for exploitation attempts.
While no specific commands are provided in the available resources, users can check the installed Pelicula Theme version in their WordPress installation to determine if it is below 1.10.
- Check the theme version via WordPress admin dashboard under Appearance > Themes.
- Use WP-CLI command to check theme version: wp theme list --status=active
- Monitor web server logs for suspicious requests that may indicate PHP Object Injection attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the Pelicula Theme to version 1.10 or later, where the vulnerability has been patched.
If immediate updating is not possible, users are advised to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.
Seeking assistance from hosting providers or web developers to apply interim protections is also recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-32512 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.