CVE-2026-22417 - Vulnerability Details

- WordPress Grand Wedding theme < 3.1.11 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11.

Published: 2026-03-05

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Deserialization of untrusted data within the Grand Wedding theme allows an attacker to inject crafted PHP objects. Such object injection enables the execution of arbitrary code on the server, potentially compromising the entire WordPress installation. The flaw is a classic insecure deserialization vulnerability classified as CWE‑502, posing a severe risk to confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects ThemeGoods’ Grand Wedding WordPress theme versions up to 3.1.10 inclusive. Any site that has installed or is still using a version at or below 3.1.10 is potentially exposed. No other vendors or products are listed as impacted.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered High severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present, and the issue is not listed in the CISA KEV catalog. However, the flaw can be abused through standard web requests to the WordPress site, where the theme processes serialized data. Attackers would need to supply a malicious payload via any input that the theme accepts, so the main vector is the web application itself rather than external network services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeGoods

Grand Wedding

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.1.11

No data.

Vendor Product Confidence Versions

Themegoods

Grand Wedding

100%

Version	Status	Scheme	Platform
`[0,3.1.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Grand Wedding theme to the latest available release that removes the vulnerable deserialization logic.
If an update is not possible, deactivate or delete the Grand Wedding theme to stop loading the vulnerable code.
Configure the web server or file system to grant only read permissions to the theme directory, preventing accidental execution of malicious code from that location.

Generated by OpenCVE AI on April 28, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/grandwedding/vulnerability/wordpress-grand-wedding-theme-3-1-0-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through <= 3.1.0.	Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11.
Title	WordPress Grand Wedding theme <= 3.1.0 - PHP Object Injection vulnerability	WordPress Grand Wedding theme < 3.1.11 - PHP Object Injection vulnerability
Metrics	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 09 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themegoods Themegoods grand Wedding Wordpress Wordpress wordpress
Vendors & Products		Themegoods Themegoods grand Wedding Wordpress Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through <= 3.1.0.
Title		WordPress Grand Wedding theme <= 3.1.0 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/Wordpress/Theme/grandwedding/vulnerability/wordpress-grand-wedding-theme-3-1-0-php-object-injection-vulnerability?_s_id=cve

Subscriptions

Themegoods Grand Wedding

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:53:37.223Z

Updated: 2026-04-28T17:07:53.950Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22417

Vulnrichment

Updated: 2026-03-09T16:45:36.566Z

NVD

Status : Deferred

Published: 2026-03-05T06:16:15.590

Modified: 2026-04-28T19:36:35.933

Link: CVE-2026-22417

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object