CVE-2026-25032
Published: 25 March 2026
Summary
CVE-2026-25032 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25032 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Ricky WordPress theme developed by park_of_ideas, enabling PHP Object Injection. The issue affects all versions of the Ricky theme from n/a through those prior to 2.31. Published on 2026-03-25, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows object injection, which can lead to high-impact outcomes including unauthorized data access, modification, or denial of service, as reflected in the CVSS metrics.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/ricky/vulnerability/wordpress-ricky-theme-2-31-php-object-injection-vulnerability?_s_id=cve details the vulnerability in the Ricky theme and recommends updating to version 2.31 or later, where the deserialization flaw has been addressed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15632
Vulnerability details
Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote deserialization/PHP object injection in a public-facing WordPress theme directly enables exploitation of a public-facing application (T1190) with full CIA impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of the deserialization flaw in the Ricky WordPress theme, directly mitigating CVE-2026-25032 by updating to version 2.31 or later.
Implements input validation at system entry points to block untrusted data from being deserialized, preventing object injection exploitation in the vulnerable Ricky theme.
Enables vulnerability scanning to detect the PHP object injection flaw in the Ricky theme, facilitating identification and remediation of CVE-2026-25032.