Description
Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.3.2.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via PHP Object Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves the mishandling of serialized input data within the Mounthood theme, allowing an attacker to inject malicious PHP objects during deserialization. This flaw falls under CWE‑502 and can be leveraged to execute arbitrary code on the host, compromising confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

Affected products are the WordPress Mounthood theme from the vendor axiomthemes, with any release up through version 1.3.2. Versions beyond 1.3.2 are not impacted.

Risk and Exploitability

An attacker can exploit this flaw by submitting specially crafted serialized data to the theme’s processing routines, typically via a web request. The CVSS score of 9.8 classifies it as Critical, yet the EPSS score indicates that the probability of automated exploitation is currently less than 1 %. The vulnerability is not listed in CISA’s KEV catalog, but the high severity remains a significant risk, especially for sites that expose the theme’s data handling endpoints to Internet users.

Generated by OpenCVE AI on April 16, 2026 at 05:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Mounthood theme to a version newer than 1.3.2 or apply the vendor’s official patch if available.
  • If an upgrade is not possible, deactivate or remove the Mounthood theme entirely to eliminate the vulnerable code path.
  • If the theme must remain in use, restrict access to any functionality that accepts serialized input and enable PHP’s disable_functions setting to block unserialize(), or employ input validation to reject untrusted serialized data.

Generated by OpenCVE AI on April 16, 2026 at 05:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes mounthood
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes mounthood
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.3.2.
Title WordPress Mounthood theme <= 1.3.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Axiomthemes Mounthood
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:00.906Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22501

cve-icon Vulnrichment

Updated: 2026-03-09T14:31:15.168Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:21.957

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses