{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22453", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:43:49.724Z", "datePublished": "2026-03-05T05:53:44.072Z", "dateUpdated": "2026-04-28T17:15:10.127Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "petclub", "product": "Pets Club", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:28.060Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.<p>This issue affects Pets Club: from n/a through <= 2.3.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.346Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/petclub/vulnerability/wordpress-pets-club-theme-2-3-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T16:12:45.200344Z", "id": "CVE-2026-22453", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:15:10.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T16:12:45.200344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T16:11:50.974Z"}}], "cna": {"title": "WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "ThemeREX", "product": "Pets Club", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3"}], "packageName": "petclub", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:28.060Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/petclub/vulnerability/wordpress-pets-club-theme-2-3-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.<p>This issue affects Pets Club: from n/a through <= 2.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:53.839Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22453", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:53.839Z", "dateReserved": "2026-01-07T13:43:49.724Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:44.072Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeREX Pets Club petclub permite la inyecci\u00f3n de objetos. Este problema afecta a Pets Club: desde n/a hasta &lt;= 2.3."}], "id": "CVE-2026-22453", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:19.580", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/petclub/vulnerability/wordpress-pets-club-theme-2-3-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Pets Club", "source": "cna", "vendor": "ThemeREX"}, "product": "pets_club", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:23:37.688830+00:00", "value": {"mitigation_remediation": ["Upgrade the Pets Club theme to a version higher than 2.3 that includes the deserialization fix.", "If an upgrade cannot be performed immediately, deactivate or uninstall the Pets Club theme to remove the vulnerable code path.", "Implement a temporary protective measure by restricting or blocking HTTP requests that carry serialized data\u2014e.g., through ModSecurity WAF rules or by setting stricter file permissions on theme files that handle deserialization."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "ThemeREX Pets Club theme, versions up through 2.3. Any WordPress installation that has installed this theme in those versions is susceptible. The issue resides in the theme\u2019s code, not the core WordPress software.", "description_and_impact": "The WordPress Pets Club theme contains a deserialization of untrusted data that allows PHP Object Injection. An attacker can send a crafted payload that is interpreted by the theme, enabling the execution of arbitrary code on the server. This vulnerability is classified as CWE-502 and can compromise confidentiality, integrity, and availability of the affected site.", "risk_and_exploitability": "The CVSS score is 9.8, marking it as critical, while the EPSS score of less than 1% indicates a low current probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, so no confirmed active exploitation has been recorded. The likely attack vector is via a crafted HTTP request that reaches the vulnerable deserialization routine in the theme; this inference is based on the nature of PHP Object Injection."}}}}, "created": "2026-03-06T15:14:09.116095+00:00", "updated": "2026-04-16T05:30:25.793726+00:00", "vendors": ["themerex", "themerex$PRODUCT$pets_club", "wordpress", "wordpress$PRODUCT$wordpress"]}