{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22510", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.068Z", "datePublished": "2026-03-25T16:14:26.647Z", "dateUpdated": "2026-04-28T17:22:34.268Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "melodyschool", "product": "Melody", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.6.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:50.475Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.<p>This issue affects Melody: from n/a through <= 1.6.3.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.334Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/melodyschool/vulnerability/wordpress-melody-theme-1-6-3-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:57:12.809385Z", "id": "CVE-2026-22510", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:22:34.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22510", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:57:12.809385Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:57:23.800Z"}}], "cna": {"title": "WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Melody", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.3"}], "packageName": "melodyschool", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:50.475Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/melodyschool/vulnerability/wordpress-melody-theme-1-6-3-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.<p>This issue affects Melody: from n/a through <= 1.6.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.334Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22510", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:22:34.268Z", "dateReserved": "2026-01-07T13:44:36.068Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:26.647Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en AncoraThemes Melody melodyschool permite la inyecci\u00f3n de objetos. Este problema afecta a Melody: desde n/a hasta &lt;= 1.6.3."}], "id": "CVE-2026-22510", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:33.273", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/melodyschool/vulnerability/wordpress-melody-theme-1-6-3-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "melody", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T18:49:49.791992+00:00", "value": {"mitigation_remediation": ["Update the Melody theme to a patched version that eliminates the deserialization issue.", "If no patch is immediately available, deactivate the Melody theme or switch to a different theme to prevent the vulnerable code from executing.", "Verify that the site is no longer processing serialized data from untrusted sources by reviewing application logs and testing functionality.", "Regularly monitor for signs of exploitation, such as unexpected file creation or execution errors."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The Melody theme by AncoraThemes, in any WordPress site that installed any release up to version\u202f1.6.3, is affected. The vulnerability is present in all versions from the first release through\u00a01.6.3. No specific minor patch or version detail beyond the\u00a0\u2264\u202f1.6.3 boundary is supplied.", "description_and_impact": "This vulnerability arises from the Melody theme's deserialization of untrusted data. Attackers can craft serialized PHP objects that, when processed by the theme, cause arbitrary object injection. The flaw qualifies as PHP Object Injection and maps to CWE\u2011502. If exploited, it can lead to remote code execution, allowing an attacker to compromise the entire WordPress site, exfiltrate data, modify files, or disrupt availability.", "risk_and_exploitability": "The CVSS score of\u00a08.1 denotes high severity, while an EPSS score below\u00a01\u00a0% indicates that the exploit probability is currently low. The vulnerability is not listed in the CISA KEV catalog, implying no widespread attacks have been observed yet. The attack vector appears to be supply of malicious serialized data via any WordPress endpoint that the Melody theme processes, which is inferred from the description; explicit exploitation instructions are not provided in the data. Nonetheless, because the flaw permits arbitrary code execution, urgent patching is recommended."}}}}, "created": "2026-03-25T21:35:10.356954+00:00", "updated": "2026-03-27T09:46:39.820329+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$melody", "wordpress", "wordpress$PRODUCT$wordpress"]}