CVE-2026-22451 - Vulnerability Details

- WordPress Handyman theme <= 1.4.7 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.7.

Published: 2026-03-05

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

AncoraThemes Handyman theme for WordPress contains a deserialization defect that allows untrusted data to be processed as PHP objects. This flaw, known as object injection, can enable an attacker to execute arbitrary code on the affected server, potentially leading to full system compromise and data loss.

Affected Systems

All WordPress sites using the Handyman theme version 1.4.7 or older are vulnerable. The problem was identified in every release from the first version up to and including 1.4.7.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating severe potential impact. Its EPSS score is reported as <1%, suggesting that worldwide exploitation is expected to be rare, and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the attack vector is likely through crafted serialized data submitted via the theme’s interfaces, though the precise prerequisites are not detailed in the advisory. Given the high severity and the possibility of remote code execution, the risk to systems that have not applied a fix remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AncoraThemes

Handyman

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.4.7

No data.

Vendor Product Confidence Versions

Ancorathemes

Handyman

100%

Version	Status	Scheme	Platform
`[0,1.4]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Handyman theme to the latest released version (currently above 1.4.7).
If a newer theme release is not yet available, temporarily deactivate or remove the Handyman theme from the site to halt exploitation attempts.
Apply defensive programming practices such as validating and sanitizing all inputs that may be deserialized, and consider employing libraries that restrict deserialization of untrusted data, thereby mitigating similar vulnerabilities.

Generated by OpenCVE AI on April 16, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00058.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/handyman-services/vulnerability/wordpress-handyman-theme-1-4-php-object-injection-vulnerability?_s_id=cve

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.	Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.7.
Title	WordPress Handyman theme <= 1.4 - PHP Object Injection vulnerability	WordPress Handyman theme <= 1.4.7 - PHP Object Injection vulnerability

Mon, 09 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ancorathemes Ancorathemes handyman Wordpress Wordpress wordpress
Vendors & Products		Ancorathemes Ancorathemes handyman Wordpress Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.
Title		WordPress Handyman theme <= 1.4 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/Wordpress/Theme/handyman-services/vulnerability/wordpress-handyman-theme-1-4-php-object-injection-vulnerability?_s_id=cve

Subscriptions

Ancorathemes Handyman

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:53:43.605Z

Updated: 2026-04-28T17:14:52.387Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22451

Vulnrichment

Updated: 2026-03-09T16:13:29.874Z

NVD

Status : Deferred

Published: 2026-03-05T06:16:19.323

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22451

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object