CVE-2026-22474
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Object Injection in ThemeREX Equestrian Centre

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22474
EUVD
EUVD-2026-9585
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themerex equestrian_centre to 1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

There is no specific detection command or method provided for this vulnerability in the available resources.

However, since the vulnerability involves PHP Object Injection in the WordPress Equestrian Centre Theme versions up to 1.5, monitoring for unusual PHP object deserialization attempts or suspicious HTTP requests targeting this theme could help in detection.

Applying web application firewall (WAF) rules, such as the mitigation rule issued by Patchstack, can also help detect and block exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks targeting this PHP Object Injection vulnerability.

Since no official patch is currently available, users are strongly advised to implement these mitigations immediately to protect their websites.

Additionally, monitoring and restricting access to the vulnerable theme and considering disabling or replacing the Equestrian Centre theme version 1.5 or below can reduce risk.

Executive Summary

CVE-2026-22474 is a high-priority PHP Object Injection vulnerability found in the WordPress Equestrian Centre Theme versions up to and including 1.5. It allows unauthenticated attackers to inject malicious PHP objects into the application.

This vulnerability arises from deserialization of untrusted data, which can be exploited to perform various attacks if a suitable PHP Object Injection POP chain is used.

Impact Analysis

Exploitation of this vulnerability can lead to severe consequences including remote code execution, SQL injection, path traversal, denial of service, and other attacks.

Because the vulnerability requires no privileges to exploit, attackers can compromise affected websites without authentication.

No official patch is currently available, so users must apply mitigation rules provided by Patchstack to protect their sites.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart