Cyber Resilience

CVE-2026-22453

CriticalRCE

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22453 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22453 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the ThemeREX Pets Club (petclub) WordPress theme, which allows Object Injection. This issue affects Pets Club versions from n/a through <= 2.3.

The vulnerability enables remote exploitation over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1 score of 9.8; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Unauthenticated attackers can achieve high impacts on confidentiality, integrity, and availability, potentially leading to full system compromise via injected objects.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/petclub/vulnerability/wordpress-pets-club-theme-2-3-php-object-injection-vulnerability?_s_id=cve) documents this PHP Object Injection vulnerability in the WordPress Pets Club theme version 2.3 and provides details on mitigation through patching or updates.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote PHP object injection in a public-facing WordPress theme directly enables exploitation of a web application (T1190) with potential for RCE and full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502
CVE-2025-7697Shared CWE-502

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of identified flaws, directly addressing the deserialization vulnerability in Pets Club WordPress theme versions <=2.3 through patching or updates.

detect

Requires vulnerability scanning and monitoring to identify the PHP object injection flaw (CVE-2026-22453) in deployed WordPress themes.

prevent

Enforces validation and sanitization of untrusted inputs to mitigate injection of malicious serialized objects exploiting the deserialization vulnerability.

References