Description
Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability results from deserialization of untrusted data within the AncoraThemes KindlyCare theme, allowing an attacker to inject malicious objects. This object injection can lead to remote code execution, giving the attacker full control over the affected WordPress site. The weakness is identified as CWE‑502 – Untrusted Data Handling.

Affected Systems

WordPress sites that use the AncoraThemes KindlyCare theme, versions n/a through <= 1.6.1.

Risk and Exploitability

The CVSS score of 9.8 categorizes this flaw as critical, but the EPSS score of < 1% indicates a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker sending crafted serialized data to the theme’s PHP code, potentially via HTTP requests or plugin form fields.

Generated by OpenCVE AI on April 27, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AncoraThemes KindlyCare theme update (>= 1.6.2).
  • If an immediate update is not possible, deactivate and delete the theme until a patch is available.
  • Configure a Web Application Firewall to block PHP unserialize calls or restrict direct access to the theme’s PHP files.

Generated by OpenCVE AI on April 27, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes kindlycare
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes kindlycare
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.
Title WordPress KindlyCare theme <= 1.6.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Ancorathemes Kindlycare
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:56:07.012Z

Reserved: 2025-12-31T20:12:41.876Z

Link: CVE-2025-69371

cve-icon Vulnrichment

Updated: 2026-02-24T21:00:17.553Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:21.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses