CVE-2026-22475
Published: 05 March 2026
Summary
CVE-2026-22475 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22475 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the axiomthemes Estate WordPress theme, enabling Object Injection. This issue affects the Estate theme from unknown initial versions through version 1.3.4 inclusive. Published on 2026-03-05T06:16:21.163, it carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
The vulnerability allows exploitation by unauthenticated remote attackers with no privileges or user interaction needed. Attackers can leverage the deserialization flaw to inject malicious objects, potentially leading to the high confidentiality, integrity, and availability impacts indicated by the CVSS score.
Patchstack's advisory documents this as a PHP Object Injection vulnerability specifically in the WordPress Estate theme version 1.3.4, providing details via their vulnerability database entry at https://patchstack.com/database/Wordpress/Theme/estate/vulnerability/wordpress-estate-theme-1-3-4-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9586
Vulnerability details
Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress theme via unauthenticated PHP deserialization/object injection leading to RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires identification, reporting, and correction of the deserialization flaw in the Estate WordPress theme to prevent object injection exploitation.
Mandates validation of untrusted inputs prior to deserialization, comprehensively addressing the root cause of CWE-502 object injection in the vulnerable theme.
Enables regular vulnerability scanning to identify the deserialization vulnerability in the Estate theme, facilitating timely remediation.