{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22500", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.743Z", "datePublished": "2026-03-25T16:14:24.264Z", "dateUpdated": "2026-03-26T15:50:12.430Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "m2-ce", "product": "m2 | Construction and Tools Store", "vendor": "axiomthemes", "versions": [{"lessThanOrEqual": "<= 1.1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:06.753Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.<p>This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.264Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/m2-ce/vulnerability/wordpress-m2-construction-and-tools-store-theme-1-1-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress m2 | Construction and Tools Store theme <= 1.1.2 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:47:26.329117Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:50:12.430Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:47:26.329117Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:48:13.550Z"}}], "cna": {"title": "WordPress m2 | Construction and Tools Store theme <= 1.1.2 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "affected": [{"vendor": "axiomthemes", "product": "m2 | Construction and Tools Store", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.1.2"}], "packageName": "m2-ce", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:06.753Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/m2-ce/vulnerability/wordpress-m2-construction-and-tools-store-theme-1-1-2-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.<p>This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.264Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22500", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:50:12.430Z", "dateReserved": "2026-01-07T13:44:30.743Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:24.264Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en axiomthemes m2 | Construction and Tools Store m2-ce permite la inyecci\u00f3n de objetos. Este problema afecta a m2 | Construction and Tools Store: desde n/a hasta &lt;= 1.1.2."}], "id": "CVE-2026-22500", "lastModified": "2026-03-26T17:16:27.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:32.063", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/m2-ce/vulnerability/wordpress-m2-construction-and-tools-store-theme-1-1-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "m2 | Construction and Tools Store", "source": "cna", "vendor": "axiomthemes"}, "product": "m2_|_construction_and_tools_store", "vendor": "axiomthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:19:18.881960+00:00", "value": {"mitigation_remediation": ["Upgrade the m2 | Construction and Tools Store theme to any version newer than 1.1.2.", "Verify that the upgraded theme has eliminated the vulnerable deserialization logic.", "Monitor the site for unusual activity such as unexpected file uploads or PHP error logs that could indicate exploitation attempts."], "summary": {"action": "Patch Deployment", "impact": "Remote Code Execution potential"}, "threat_synthesis": {"affected_systems": "The affected product is the WordPress theme m2 | Construction and Tools Store from axiomthemes. Any installation using version 1.1.2 or earlier is vulnerable. No newer version has been listed in the description, so all releases up to and including 1.1.2 should be treated as impacted.", "description_and_impact": "The vulnerability is a PHP Object Injection flaw that occurs when the axiomthemes m2 theme deserializes untrusted data. Because the theme accepts serialized input from public\u2011facing components, an attacker can supply crafted data that creates harmful PHP objects, potentially allowing arbitrary code to run on the server. This is a classic instance of CWE\u2011502, where deserialization permits an attacker to manipulate internal state and achieve code execution.", "risk_and_exploitability": "No CVSS score or EPSS data is provided, and the issue is not listed in CISA\u2019s KEV catalog, yet PHP Object Injection remains a high\u2011risk vulnerability with a high exploitation likelihood. The likely attack vector is when the theme processes user\u2011supplied data such as form submissions or file uploads that contain serialized payloads. If an attacker can craft such data, they can trigger the deserialization routine and trigger the malicious code, compromising confidentiality, integrity, and availability of the affected site."}}}}, "created": "2026-03-25T21:35:19.727842+00:00", "updated": "2026-03-26T11:40:34.197561+00:00", "vendors": ["axiomthemes", "axiomthemes$PRODUCT$m2_|_construction_and_tools_store", "wordpress", "wordpress$PRODUCT$wordpress"]}