Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
4 vulnerabilities found for altair by themegoods
CVE-2025-32928 (GCVE-0-2025-32928)
Vulnerability from nvd – Published: 2025-05-19 19:53 – Updated: 2026-04-01 15:51
VLAI?
Title
WordPress Altair theme <= 5.2.2 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ThemeGoods | Altair |
Affected:
0 , ≤ 5.2.2
(custom)
|
Date Public ?
2026-04-01 16:39
Credits
Bonds | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T21:10:59.783234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T21:19:12.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://themeforest.net",
"defaultStatus": "unaffected",
"packageName": "altair",
"product": "Altair",
"vendor": "ThemeGoods",
"versions": [
{
"lessThanOrEqual": "5.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bonds | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:03.566Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.\u003cp\u003eThis issue affects Altair: from n/a through \u003c= 5.2.2.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through \u003c= 5.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:51:38.661Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/altair/vulnerability/wordpress-altair-theme-5-2-2-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Altair theme \u003c= 5.2.2 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32928",
"datePublished": "2025-05-19T19:53:26.530Z",
"dateReserved": "2025-04-14T11:30:45.185Z",
"dateUpdated": "2026-04-01T15:51:38.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12922 (GCVE-0-2024-12922)
Vulnerability from nvd – Published: 2025-03-19 05:22 – Updated: 2025-03-19 14:47
VLAI?
Title
Altair <= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current
Summary
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ThemeGoods | Altair |
Affected:
* , ≤ 5.2.4
(semver)
|
Credits
Tonn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T14:44:26.388417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:47:20.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Altair",
"vendor": "ThemeGoods",
"versions": [
{
"lessThanOrEqual": "5.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tonn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T05:22:52.303Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e27971a3-f84c-4f13-81af-127e7560566a?source=cve"
},
{
"url": "https://themeforest.net/item/tour-travel-agency-altair-theme/9318575"
},
{
"url": "https://themeforest.net/item/tour-travel-agency-altair-theme/9318575#item-description__changelog"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-26T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-03-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Altair \u003c= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12922",
"datePublished": "2025-03-19T05:22:52.303Z",
"dateReserved": "2024-12-25T00:46:20.529Z",
"dateUpdated": "2025-03-19T14:47:20.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32928 (GCVE-0-2025-32928)
Vulnerability from cvelistv5 – Published: 2025-05-19 19:53 – Updated: 2026-04-01 15:51
VLAI?
Title
WordPress Altair theme <= 5.2.2 - PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ThemeGoods | Altair |
Affected:
0 , ≤ 5.2.2
(custom)
|
Date Public ?
2026-04-01 16:39
Credits
Bonds | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32928",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T21:10:59.783234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T21:19:12.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://themeforest.net",
"defaultStatus": "unaffected",
"packageName": "altair",
"product": "Altair",
"vendor": "ThemeGoods",
"versions": [
{
"lessThanOrEqual": "5.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bonds | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:03.566Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.\u003cp\u003eThis issue affects Altair: from n/a through \u003c= 5.2.2.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through \u003c= 5.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:51:38.661Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/altair/vulnerability/wordpress-altair-theme-5-2-2-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Altair theme \u003c= 5.2.2 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32928",
"datePublished": "2025-05-19T19:53:26.530Z",
"dateReserved": "2025-04-14T11:30:45.185Z",
"dateUpdated": "2026-04-01T15:51:38.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12922 (GCVE-0-2024-12922)
Vulnerability from cvelistv5 – Published: 2025-03-19 05:22 – Updated: 2025-03-19 14:47
VLAI?
Title
Altair <= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current
Summary
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ThemeGoods | Altair |
Affected:
* , ≤ 5.2.4
(semver)
|
Credits
Tonn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12922",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T14:44:26.388417Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:47:20.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Altair",
"vendor": "ThemeGoods",
"versions": [
{
"lessThanOrEqual": "5.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tonn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T05:22:52.303Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e27971a3-f84c-4f13-81af-127e7560566a?source=cve"
},
{
"url": "https://themeforest.net/item/tour-travel-agency-altair-theme/9318575"
},
{
"url": "https://themeforest.net/item/tour-travel-agency-altair-theme/9318575#item-description__changelog"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-26T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-03-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Altair \u003c= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12922",
"datePublished": "2025-03-19T05:22:52.303Z",
"dateReserved": "2024-12-25T00:46:20.529Z",
"dateUpdated": "2025-03-19T14:47:20.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}