{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22497", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.742Z", "datePublished": "2026-03-05T05:53:47.948Z", "dateUpdated": "2026-04-28T17:20:36.984Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jardi", "product": "Jardi", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.7.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:54.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.<p>This issue affects Jardi: from n/a through <= 1.7.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.332Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/jardi/vulnerability/wordpress-jardi-theme-1-7-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Jardi theme <= 1.7.2 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:50:49.635858Z", "id": "CVE-2026-22497", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:20:36.984Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22497", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.742Z", "datePublished": "2026-03-05T05:53:47.948Z", "dateUpdated": "2026-04-28T17:20:36.984Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "jardi", "product": "Jardi", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.7.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:54.466Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.<p>This issue affects Jardi: from n/a through <= 1.7.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.332Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/jardi/vulnerability/wordpress-jardi-theme-1-7-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Jardi theme <= 1.7.2 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22497", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T19:50:49.635858Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:50:12.308Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en AncoraThemes Jardi jardi permite la inyecci\u00f3n de objetos. Este problema afecta a Jardi: desde n/a hasta &lt;= 1.7.2."}], "id": "CVE-2026-22497", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:21.820", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/jardi/vulnerability/wordpress-jardi-theme-1-7-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "jardi", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T12:46:41.008311+00:00", "value": {"mitigation_remediation": ["Upgrade AncoraThemes Jardi theme to a release newer than 1.7.2 where the deserialization logic has been fixed.", "If an upgrade is not immediately feasible, deactivate the Jardi theme and switch the site to a known\u2011safe default or alternative theme.", "Remove or disable the code path in the theme that deserializes untrusted data, ensuring that any user\u2011controlled input is strictly validated or not processed."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "AncoraThemes Jardi theme for WordPress, all releases from the initial package through version 1.7.2 are affected. The vulnerability applies to any WordPress installation that has the Jardi theme active and has not installed an update newer than 1.7.2.", "description_and_impact": "The vulnerability is a PHP deserialization flaw in the AncoraThemes Jardi theme for WordPress that allows an attacker to inject objects into the theme\u2019s processing pipeline. If an attacker can supply an untrusted serialized payload that the theme deserializes, the flaw can be used to execute arbitrary PHP code with the permissions of the WordPress site, giving full control over the server. This weakness is classified as CWE\u2011502, indicating a deserialization of untrusted data.", "risk_and_exploitability": "The CVSS score of 9.8 denotes critical severity, while the low EPSS score of less than 1% suggests that the vulnerability is not currently widely exploited. The issue is not listed in the CISA KEV catalog, indicating that known active exploitation is not reported. Based on the description, it is inferred that the attack vector likely involves a user\u2011controlled serialized input that triggers the vulnerable deserialization routine via a WordPress page or plugin; when exploited, the attacker could achieve remote code execution with site\u2011wide privileges."}}}}, "created": "2026-03-06T15:13:54.221938+00:00", "updated": "2026-04-16T13:00:11.063275+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$jardi", "wordpress", "wordpress$PRODUCT$wordpress"]}