Description
Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.
Published: 2026-03-25
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

A flaw in the axiomthemes m2 – Construction and Tools Store WordPress theme allows malicious users to send serialized data that will be deserialized by the theme code. When the data is untrusted, attackers can inject PHP objects that may execute arbitrary code during the deserialization process. This vulnerability is classified as a deserialization issue and is identified by CWE‑502.

Affected Systems

WordPress installations that have the m2 theme installed in any version up to and including 1.1.2 are vulnerable. The vulnerability exists in every release of the theme from the first public release through version 1.1.2.

Risk and Exploitability

The severity rating of 9.8 on the CVSS score table shows a critical impact, while the EPSS score of less than 1 % indicates that, as of now, exploitation probability in the wild is modest. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, implying no widespread publicly known exploits. The likely attack vector is inferred from the description: an attacker would need to craft a serialized payload and transmit it to the theme through a publicly accessible web request that triggers the deserialization routine. Successful exploitation would give the attacker full control over the affected WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the m2 theme to a version newer than 1.1.2
  • Verify the update has removed the vulnerability by testing or reviewing the updated code
  • Keep WordPress core, plugins, and the theme itself up to date to minimize future risks

Generated by OpenCVE AI on March 26, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes m2 | Construction And Tools Store
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes m2 | Construction And Tools Store
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.
Title WordPress m2 | Construction and Tools Store theme <= 1.1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Axiomthemes M2 | Construction And Tools Store
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:50:12.430Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22500

cve-icon Vulnrichment

Updated: 2026-03-26T15:48:13.550Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:32.063

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:48Z

Weaknesses