CVE-2026-32512
Received Received - Intake
Deserialization Object Injection in Pelicula Theme Allows Code Execution

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32512
EUVD
EUVD-2026-15868
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
edge-themes pelicula to 1.10 (exc)
patchstack pelicula_video_production_and_movie_theme to 1.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32512 is a high-priority PHP Object Injection vulnerability found in the WordPress Pelicula Theme versions prior to 1.10.

This vulnerability allows unauthenticated attackers to perform PHP Object Injection, which means they can inject malicious objects into the application.

If a suitable Property Oriented Programming (POP) chain is available, attackers can exploit this to execute remote code, perform SQL injection, path traversal, denial of service, and other attacks.

The vulnerability falls under the OWASP Top 10 category A3: Injection and was patched in version 1.10 of the Pelicula Theme.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, which allows attackers to run arbitrary code on your server.

It can also lead to SQL injection, enabling attackers to manipulate or steal data from your database.

Other possible impacts include path traversal, which can expose sensitive files, and denial of service attacks that can disrupt your website's availability.

Because it is exploitable by unauthenticated attackers and is expected to be widely targeted, it poses a critical risk to websites using vulnerable versions of the Pelicula Theme.

Detection Guidance

The vulnerability affects WordPress Pelicula Theme versions prior to 1.10 and involves PHP Object Injection. Detection typically involves identifying if the vulnerable theme version is in use and monitoring for exploitation attempts.

While no specific commands are provided in the available resources, users can check the installed Pelicula Theme version in their WordPress installation to determine if it is below 1.10.

  • Check the theme version via WordPress admin dashboard under Appearance > Themes.
  • Use WP-CLI command to check theme version: wp theme list --status=active
  • Monitor web server logs for suspicious requests that may indicate PHP Object Injection attempts.
Mitigation Strategies

The primary and immediate mitigation step is to update the Pelicula Theme to version 1.10 or later, where the vulnerability has been patched.

If immediate updating is not possible, users are advised to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.

Seeking assistance from hosting providers or web developers to apply interim protections is also recommended.

Compliance Impact

The provided information does not specify how the CVE-2026-32512 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart