Description
Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that allows an attacker to perform object injection and subsequently execute arbitrary code on the affected system. It is classed as CWE‑502, indicating that untrusted serialized data is improperly handled. If exploited, an attacker can gain complete control of the WordPress site, leading to data confidentiality and integrity compromise, and the ability to modify, delete, or exfiltrate content.

Affected Systems

The Estate theme by axiomthemes for WordPress is affected. All released versions from the earliest available through version 1.3.4 are vulnerable. Only installations using a newer version or a different theme are immune.

Risk and Exploitability

The CVSS score is 9.8, classifying the vulnerability as critical. The EPSS score is below 1 %, indicating a very low current exploitation probability. The issue is not listed in CISA’s KEV catalog. The attack vector is not explicitly detailed in the advisory; based on the description it is inferred that exploitation can occur via any input path that the Estate theme processes, such as form submissions or administrative actions within WordPress. The flaw allows remote attackers with write access to the theme’s data handling routines to inject malicious objects.

Generated by OpenCVE AI on April 16, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Estate theme to the latest version that incorporates the fix for this deserialization flaw.
  • If the theme is no longer required, deactivate or uninstall it entirely from the WordPress installation.
  • Restrict access to WordPress administrative features and ensure that plugins or custom code do not expose deserialization points; consider implementing input validation or removal of the vulnerable deserialization routine as an additional safeguard.

Generated by OpenCVE AI on April 16, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes estate
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes estate
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4.
Title WordPress Estate theme <= 1.3.4 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Axiomthemes Estate
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:59.041Z

Reserved: 2026-01-07T13:44:16.750Z

Link: CVE-2026-22475

cve-icon Vulnrichment

Updated: 2026-03-09T15:21:42.786Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:21.163

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses