CVE-2026-25031 - Vulnerability Details - OpenCVE

Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Park Of Ideas	Tasty Daily
Wordpress	Wordpress

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Park Of Ideas	Tasty Daily
Wordpress	Wordpress

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Park Of Ideas Park Of Ideas tasty Daily Wordpress Wordpress wordpress
Vendors & Products		Park Of Ideas Park Of Ideas tasty Daily Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.
Title		WordPress Tasty Daily theme < 1.27 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:38.375Z

Updated: 2026-03-26T15:50:11.877Z

Reserved: 2026-01-28T09:52:08.058Z

Link: CVE-2026-25031

Vulnrichment

Updated: 2026-03-26T15:48:06.385Z

NVD

Status : Received

Published: 2026-03-25T17:16:42.837

Modified: 2026-03-26T17:16:29.867

Link: CVE-2026-25031

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:39:28Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25031", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.375Z", "dateUpdated": "2026-03-26T15:50:11.877Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "tastydaily", "product": "Tasty Daily", "vendor": "park_of_ideas", "versions": [{"changes": [{"at": "1.27", "status": "unaffected"}], "lessThanOrEqual": "< 1.27", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:20.146Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.<p>This issue affects Tasty Daily: from n/a through < 1.27.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.375Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Tasty Daily theme < 1.27 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25031", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:48:03.095601Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:50:11.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25031", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:48:03.095601Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:48:06.385Z"}}], "cna": {"title": "WordPress Tasty Daily theme < 1.27 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "park_of_ideas", "product": "Tasty Daily", "versions": [{"status": "affected", "changes": [{"at": "1.27", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.27"}], "packageName": "tastydaily", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:20.146Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/tastydaily/vulnerability/wordpress-tasty-daily-theme-1-27-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.<p>This issue affects Tasty Daily: from n/a through < 1.27.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.375Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25031", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:50:11.877Z", "dateReserved": "2026-01-28T09:52:08.058Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:38.375Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.27)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[1.27,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tasty Daily", "source": "cna", "vendor": "park_of_ideas"}, "product": "tasty_daily", "vendor": "park_of_ideas"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:11:31.314954+00:00", "value": {"mitigation_remediation": ["Upgrade the Tasty Daily theme to version 1.27 or later; this version removes the vulnerable deserialization logic. If an upgrade is not immediately feasible, deactivate or remove the theme to prevent attack surface exposure. Check the plugin\u2019s official support channel or the vendor\u2019s website for any interim security advisories or temporary workarounds."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "WordPress installations using the Tasty Daily theme version 1.26 and earlier are known to be affected. The vendor, park_of_ideas, does not provide a specific affected-version range other than all releases prior to 1.27. Users running any older version of this theme should verify their current version and update accordingly.", "description_and_impact": "The Tasty Daily theme for WordPress contains a deserialization vulnerability that permits untrusted data to be processed as PHP objects, allowing an attacker to inject malicious objects into the application. This flaw is classified as CWE-502, which can provide attackers with the ability to alter program execution and potentially gain full control of the affected server. If exploited, the attacker can execute arbitrary code, compromise site data, and disrupt normal operations.", "risk_and_exploitability": "No CVSS or EPSS score is listed for this vulnerability, and the asset is not in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector involves the theme\u2019s handling of serialized data, which could be triggered via web forms, plugin settings, or other input points that the theme processes. Because the flaw permits object injection, exploitation requires an attacker to craft a malicious payload and deliver it to a vulnerable input channel, after which the server will instantiate the injected object and execute its code. The absence of publicly available exploit proofs and a lack of documented exploits suggests that while the vulnerability is potentially high impact, its exploitation may currently require some effort to identify the precise input vector and construct a valid payload."}}}}, "created": "2026-03-25T21:34:13.574808+00:00", "updated": "2026-03-26T11:39:28.636134+00:00", "vendors": ["park_of_ideas", "park_of_ideas$PRODUCT$tasty_daily", "wordpress", "wordpress$PRODUCT$wordpress"]}