{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0677", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T17:39:35.855Z", "datePublished": "2026-03-20T09:31:42.957Z", "dateUpdated": "2026-03-20T11:54:03.981Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-20T09:31:42.957Z"}, "title": "WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "TotalSuite", "product": "TotalContest Lite", "collectionURL": "https://wordpress.org/plugins", "packageName": "totalcontest-lite", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "2.9.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.<p>This issue affects TotalContest Lite: from n/a through 2.9.1.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/totalcontest-lite/vulnerability/wordpress-totalcontest-lite-plugin-2-9-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "hhhai | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T11:48:58.164115Z", "id": "CVE-2026-0677", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T11:54:03.981Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1."}], "id": "CVE-2026-0677", "lastModified": "2026-03-20T10:16:18.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-20T10:16:18.257", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/totalcontest-lite/vulnerability/wordpress-totalcontest-lite-plugin-2-9-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-20T10:20:46.656942+00:00", "value": {"mitigation_remediation": ["Update the TotalContest Lite plugin to the latest version (>= 2.9.2 if available).", "If no newer version is available, disable or delete the plugin to remove the vulnerability.", "Review WordPress security settings and ensure that only trusted administrators have plugin installation rights.", "Monitor the site for suspicious activity and review logs for unauthorized object injection attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress TotalContest Lite plugin versions up to and including 2.9.1 are affected. All installations of the product from the earliest release through 2.9.1 may be vulnerable. The vendor is TotalSuite:TotalContest Lite.", "description_and_impact": "Deserialization of untrusted data in TotalContest Lite enables PHP object injection, which can allow an attacker to execute arbitrary code and compromise the entire WordPress site. The vulnerability is described as a classic PHP deserialization flaw (CWE\u2011502). The impact is potential remote code execution and complete system takeover.", "risk_and_exploitability": "The CVSS score is 7.2, indicating a high severity of the vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, through the web interface, as the flaw occurs when the plugin processes serialized data from untrusted sources. Exploitation requires no special privileges beyond remote access to the site, making it a high\u2011risk issue for publicly accessible WordPress sites."}}}}, "created": "2026-03-20T10:36:25.925519+00:00", "updated": "2026-03-20T10:36:25.925546+00:00", "vendors": []}