Cyber Resilience

CVE-2026-32502

CriticalRCE

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 29.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32502 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32502 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Borgholm marketing agency WordPress theme developed by Select-Themes. The flaw enables Object Injection and affects all versions of the Borgholm theme from its initial release (n/a) through versions prior to 1.6. Published on March 25, 2026, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By supplying malicious serialized data, the attacker can trigger Object Injection, potentially leading to arbitrary code execution, data manipulation, or denial of service, depending on the injected objects and server environment.

The Patchstack advisory recommends updating the Borgholm theme to version 1.6 or later, where the vulnerability is addressed. Security practitioners should scan WordPress installations for vulnerable theme versions and apply the patch promptly, as no workarounds are specified in available references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote deserialization/RCE in public-facing WordPress theme directly enables T1190 exploitation and Unix/PHP command execution via T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1913Shared CWE-502
CVE-2025-69002Shared CWE-502
CVE-2025-69036Shared CWE-502
CVE-2026-25316Shared CWE-502
CVE-2026-25358Shared CWE-502
CVE-2024-11465Shared CWE-502
CVE-2026-29109Shared CWE-502
CVE-2026-24989Shared CWE-502
CVE-2025-30773Shared CWE-502
CVE-2026-25400Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Requires timely identification, reporting, and patching of the deserialization flaw in vulnerable Borgholm theme versions prior to 1.6, directly eliminating the vulnerability.

detect

Mandates vulnerability scanning to identify installations running vulnerable Borgholm theme versions, enabling prompt remediation.

prevent

Enforces validation of untrusted inputs, including serialized data, to block malicious payloads targeting the deserialization vulnerability.

References