CVE-2026-22500
Received Received - Intake
Deserialization Object Injection in axiomthemes m2-ce

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22500
EUVD
EUVD-2026-15507
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axiomthemes m2_ce to 1.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22500 is a high-priority PHP Object Injection vulnerability found in the WordPress theme "m2 | Construction and Tools Store" versions up to and including 1.1.2.

This vulnerability allows unauthenticated attackers to inject malicious PHP objects into the application, potentially enabling them to execute arbitrary code, perform SQL injection, path traversal, denial of service, and other attacks if a suitable Property Oriented Programming (POP) chain is present.

It is classified under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can have severe impacts including unauthorized code execution, which can compromise the entire website or server.

  • Execution of arbitrary PHP code by attackers.
  • SQL injection attacks that can lead to data leakage or corruption.
  • Path traversal attacks that may expose sensitive files.
  • Denial of service attacks that can disrupt website availability.

Since the vulnerability can be exploited by unauthenticated attackers, it poses a significant risk to website security and stability.

Detection Guidance

There is no specific detection command or method provided for this vulnerability in the available resources.

However, since this is a PHP Object Injection vulnerability in the WordPress theme "m2 | Construction and Tools Store" up to version 1.1.2, detection typically involves checking the version of the theme installed on your WordPress site.

You can verify the theme version by accessing your WordPress dashboard or by inspecting the theme files directly.

No specific network or system commands are suggested in the provided resources.

Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule that can block attacks targeting this vulnerability until an official patch is released.

Users are strongly advised to update the affected theme to a version higher than 1.1.2 once available.

If an update is not yet available, seek assistance from your hosting provider or web developer to implement protective measures.

Monitoring for suspicious activity related to PHP Object Injection attempts is also recommended.

Compliance Impact

The provided information does not specify how the CVE-2026-22500 vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart