{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22384", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:40.878Z", "datePublished": "2026-02-20T15:47:07.059Z", "dateUpdated": "2026-04-28T16:53:38.560Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "applay-shortcodes", "product": "Applay - Shortcodes", "vendor": "leafcolor", "versions": [{"lessThanOrEqual": "3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:21.611Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.<p>This issue affects Applay - Shortcodes: from n/a through <= 3.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.384Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/applay-shortcodes/vulnerability/wordpress-applay-shortcodes-plugin-3-7-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Applay - Shortcodes plugin <= 3.7 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T18:30:26.195415Z", "id": "CVE-2026-22384", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:53:38.560Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22384", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:40.878Z", "datePublished": "2026-02-20T15:47:07.059Z", "dateUpdated": "2026-04-28T16:53:38.560Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "applay-shortcodes", "product": "Applay - Shortcodes", "vendor": "leafcolor", "versions": [{"lessThanOrEqual": "3.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:21.611Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.<p>This issue affects Applay - Shortcodes: from n/a through <= 3.7.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.384Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/applay-shortcodes/vulnerability/wordpress-applay-shortcodes-plugin-3-7-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Applay - Shortcodes plugin <= 3.7 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T18:30:26.195415Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T18:28:34.708Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en leafcolor Applay - Shortcodes applay-shortcodes permite la inyecci\u00f3n de objetos. Este problema afecta a Applay - Shortcodes: desde n/a hasta &lt;= 3.7."}], "id": "CVE-2026-22384", "lastModified": "2026-04-28T19:36:33.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-20T16:22:38.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/applay-shortcodes/vulnerability/wordpress-applay-shortcodes-plugin-3-7-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Applay - Shortcodes", "source": "cna", "vendor": "leafcolor"}, "product": "applay_-_shortcodes", "vendor": "leafcolor"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:36:04.382297+00:00", "value": {"mitigation_remediation": ["Update the Applay - Shortcodes plugin to a version newer than 3.7, if available, or obtain a vendor\u2011supplied patch that removes the untrusted deserialization.", "If an upgrade is not immediately possible, consider disabling or deactivating the plugin until a fix is applied.", "Implement stricter input validation for any data that reaches the plugin, and enforce the principle that only trusted WordPress users can provide data that may be deserialized."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Applay - Shortcodes distributed by leafcolor, specifically all releases through version 3.7. Systems running this plugin on any WordPress installation are potentially exposed. No specific operating system or database version restrictions are listed.", "description_and_impact": "Deserialization of untrusted data in the Applay - Shortcodes plugin enables PHP object injection. The flaw permits an attacker to craft arbitrary serialized objects that are processed by the plugin, potentially leading to code execution or unauthorized manipulation of the WordPress site. While the impact on confidentiality, integrity, and availability is largely determined by the attacker\u2019s payload, the high severity rating suggests a capability for remote code execution and other critical damage.", "risk_and_exploitability": "The CVSS score of 9.8 indicates a high risk. The EPSS score of less than 1% implies that, at present, exploitation attempts are rare, but the lack of a KEV listing does not eliminate the possibility of future exploitation. Based on the description, the likely attack surface is a remote attacker submitting malicious serialized data to the plugin, which is then deserialized within the application context. Triggering the vulnerability would require the attacker to deliver the crafted payload through a user-facing interface that does not properly sanitize input."}}}}, "created": "2026-02-23T14:35:58.445969+00:00", "updated": "2026-04-28T17:45:16.124136+00:00", "vendors": ["leafcolor", "leafcolor$PRODUCT$applay_-_shortcodes", "wordpress", "wordpress$PRODUCT$wordpress"]}