Description
Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a PHP deserialization flaw in the AncoraThemes Jardi theme for WordPress that allows an attacker to inject objects into the theme’s processing pipeline. If an attacker can supply an untrusted serialized payload that the theme deserializes, the flaw can be used to execute arbitrary PHP code with the permissions of the WordPress site, giving full control over the server. This weakness is classified as CWE‑502, indicating a deserialization of untrusted data.

Affected Systems

AncoraThemes Jardi theme for WordPress, all releases from the initial package through version 1.7.2 are affected. The vulnerability applies to any WordPress installation that has the Jardi theme active and has not installed an update newer than 1.7.2.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, while the low EPSS score of less than 1% suggests that the vulnerability is not currently widely exploited. The issue is not listed in the CISA KEV catalog, indicating that known active exploitation is not reported. Based on the description, it is inferred that the attack vector likely involves a user‑controlled serialized input that triggers the vulnerable deserialization routine via a WordPress page or plugin; when exploited, the attacker could achieve remote code execution with site‑wide privileges.

Generated by OpenCVE AI on April 16, 2026 at 12:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AncoraThemes Jardi theme to a release newer than 1.7.2 where the deserialization logic has been fixed.
  • If an upgrade is not immediately feasible, deactivate the Jardi theme and switch the site to a known‑safe default or alternative theme.
  • Remove or disable the code path in the theme that deserializes untrusted data, ensuring that any user‑controlled input is strictly validated or not processed.

Generated by OpenCVE AI on April 16, 2026 at 12:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes jardi
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes jardi
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2.
Title WordPress Jardi theme <= 1.7.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Ancorathemes Jardi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:00.740Z

Reserved: 2026-01-07T13:44:30.742Z

Link: CVE-2026-22497

cve-icon Vulnrichment

Updated: 2026-03-09T19:50:12.308Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:21.820

Modified: 2026-03-09T20:16:06.360

Link: CVE-2026-22497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses