CVE-2026-22453
Published: 05 March 2026
Summary
CVE-2026-22453 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22453 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeREX Pets Club (petclub) WordPress theme, which allows Object Injection. This issue affects Pets Club versions from n/a through <= 2.3.
The vulnerability enables remote exploitation over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1 score of 9.8; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise via injected objects.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/petclub/vulnerability/wordpress-pets-club-theme-2-3-php-object-injection-vulnerability?_s_id=cve) documents this PHP Object Injection vulnerability in the WordPress Pets Club theme version 2.3 and provides details on mitigation through patching or updates.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9574
Vulnerability details
Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote PHP object injection in a public-facing WordPress theme directly enables exploitation of a web application (T1190) with potential for RCE and full compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of identified flaws, directly addressing the deserialization vulnerability in Pets Club WordPress theme versions <=2.3 through patching or updates.
Requires vulnerability scanning and monitoring to identify the PHP object injection flaw (CVE-2026-22453) in deployed WordPress themes.
Enforces validation and sanitization of untrusted inputs to mitigate injection of malicious serialized objects exploiting the deserialization vulnerability.