CVE-2026-22500
Published: 25 March 2026
Summary
CVE-2026-22500 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22500 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the axiomthemes "m2 | Construction and Tools Store" WordPress theme, also known as m2-ce. This flaw enables Object Injection and affects all versions from n/a through 1.1.2.
With a CVSS v3.1 base score of 9.8 (Critical; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to full site compromise via injected objects.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/m2-ce/vulnerability/wordpress-m2-construction-and-tools-store-theme-1-1-2-php-object-injection-vulnerability?_s_id=cve provides details on this PHP Object Injection issue in theme version 1.1.2, including mitigation guidance for affected WordPress installations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15507
Vulnerability details
Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE via deserialization/object injection in public-facing WordPress theme component.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires organizations to remediate flaws, directly addressing this deserialization vulnerability by patching or updating the vulnerable m2-ce WordPress theme.
SI-10 mandates information input validation at entry points, preventing untrusted data from being deserialized into objects in the theme.
RA-5 vulnerability scanning identifies the PHP object injection flaw in the theme, enabling proactive mitigation before exploitation.