Description
Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through <= 1.6.2.
Published: 2026-02-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution through PHP object injection
Action: Immediate Patch
AI Analysis

Impact

AncoraThemes SevenHills theme suffers from a deserialization of untrusted data flaw that permits PHP object injection. Attackers can craft malicious serialized payloads that, when processed by the theme, result in arbitrary code execution. The weakness is classified as CWE-502, indicating that the application fails to protect against potentially dangerous sent data.

Affected Systems

This vulnerability affects the AncoraThemes SevenHills WordPress theme for all releases up to and including version 1.6.2. No higher versions are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity, and the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. It is not listed in the CISA KEV catalog. The likely attack vector is any pathway that delivers untrusted serialized data into the theme’s processing logic, such as user‑submitted content or REST endpoints. Successful exploitation would allow an attacker to run arbitrary code on the webserver, compromising confidentiality, integrity and availability.

Generated by OpenCVE AI on April 27, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest SevenHills theme release that removes the deserialization flaw (any version newer than 1.6.2).
  • If an update is not yet available, temporarily deactivate or uninstall the SevenHills theme to prevent exploitation until a fix is applied.
  • Configure a web application firewall or equivalent rule set to block deserialized data from untrusted sources and restrict file uploads that could carry malicious payloads.
  • Monitor web server logs for evidence of object injection attempts and review for unauthorized access after remediation.

Generated by OpenCVE AI on April 27, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes sevenhills
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes sevenhills
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through <= 1.6.2.
Title WordPress SevenHills theme <= 1.6.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Ancorathemes Sevenhills
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:56:16.296Z

Reserved: 2025-12-31T20:13:05.451Z

Link: CVE-2025-69372

cve-icon Vulnrichment

Updated: 2026-02-24T21:02:39.981Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:21.440

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses