{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32484", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:55.347Z", "datePublished": "2026-03-25T16:14:57.893Z", "dateUpdated": "2026-04-29T09:52:00.080Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "weforms", "product": "weForms", "vendor": "BoldGrid", "versions": [{"changes": [{"at": "1.6.27", "status": "unaffected"}], "lessThanOrEqual": "<= 1.6.26", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:36.697Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.<p>This issue affects weForms: from n/a through <= 1.6.26.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:00.080Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-26-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:43:43.757235Z", "id": "CVE-2026-32484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:43:58.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:43:43.757235Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:43:55.727Z"}}], "cna": {"title": "WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "BoldGrid", "product": "weForms", "versions": [{"status": "affected", "changes": [{"at": "1.6.27", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.6.26"}], "packageName": "weforms", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:36.697Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-26-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.<p>This issue affects weForms: from n/a through <= 1.6.26.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:57.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32484", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:43:58.561Z", "dateReserved": "2026-03-12T11:11:55.347Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:57.893Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en BoldGrid weForms weforms permite la inyecci\u00f3n de objetos. Este problema afecta a weForms: desde n/a hasta &lt;= 1.6.26."}], "id": "CVE-2026-32484", "lastModified": "2026-04-29T10:17:13.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:59.457", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/weforms/vulnerability/wordpress-weforms-plugin-1-6-26-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.26]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.6.27,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "weForms", "source": "cna", "vendor": "BoldGrid"}, "product": "weforms", "vendor": "boldgrid"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T17:38:04.782613+00:00", "value": {"mitigation_remediation": ["Check the installed version of BoldGrid weForms on each site.", "Upgrade BoldGrid weForms to the latest version (>= 1.6.27) as soon as possible."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the BoldGrid weForms plugin up to version 1.6.26 are affected. Any installations that have the plugin installed from the earliest release through the 1.6.26 release are vulnerable, regardless of the WordPress core version.", "description_and_impact": "Deserialization of untrusted data in BoldGrid weForms allows attackers to inject arbitrary PHP objects. If an attacker sends a specially crafted payload to the plugin\u2019s form processing logic, they can instantiate malicious objects that may lead to arbitrary code execution within the web server\u2019s context. The integrity of the application is compromised, and the confidentiality of data held on the site may be exposed. Availability could also be impacted if the exploit crashes the site.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating high severity. EPSS indicates it is unlikely to be widely exploited today, with a probability of less than 1%. It is not listed in the CISA KEV catalog. The likely attack vector is the submission of malicious data to the form handling endpoint; the attacker must be able to send a serialized payload that the plugin will process. Once the payload reaches the PHP interpreter, the injection can lead to remote code execution or other high\u2011impact actions."}}}}, "created": "2026-03-25T21:43:42.196278+00:00", "updated": "2026-03-27T09:31:11.107386+00:00", "vendors": ["boldgrid", "boldgrid$PRODUCT$weforms", "wordpress", "wordpress$PRODUCT$wordpress"]}