CVE-2026-22475
Deserialization Object Injection in Axiomthemes Estate
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axiomthemes | estate | to 1.3.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22475 is a high-priority PHP Object Injection vulnerability affecting the WordPress Estate Theme versions up to and including 1.3.4.
This vulnerability allows unauthenticated attackers to perform PHP Object Injection, which means they can inject malicious objects into the application.
If a suitable Property Oriented Programming (POP) chain is available, this can lead to severe attacks such as remote code execution, SQL injection, path traversal, denial of service, and other exploits.
How can this vulnerability impact me? :
This vulnerability can have critical impacts including allowing attackers to execute arbitrary code remotely on your server.
It can also enable SQL injection attacks, which may compromise your database integrity and confidentiality.
Other possible impacts include path traversal attacks that can expose sensitive files, denial of service conditions that disrupt service availability, and other malicious activities.
Because the theme has not been updated for over a year and no official patch is available, the risk remains high unless mitigations are applied.
Users are advised to apply mitigation rules or remove and replace the vulnerable theme to protect their websites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific commands or methods to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-22475 vulnerability in the WordPress Estate Theme (versions up to 1.3.4), immediate actions include applying the mitigation rule issued by Patchstack to block exploitation attempts.
Alternatively, users are advised to remove and replace the vulnerable theme entirely, as deactivating the theme alone does not eliminate the security risk.
Since no official patch has been released and the theme is unlikely to receive future updates, applying these mitigations is critical to protect your website.