{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22505", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.067Z", "datePublished": "2026-03-25T16:14:25.319Z", "dateUpdated": "2026-03-25T16:14:25.319Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "morning-records", "product": "Morning Records", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:08.373Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.<p>This issue affects Morning Records: from n/a through <= 1.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:25.319Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/morning-records/vulnerability/wordpress-morning-records-theme-1-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Morning Records theme <= 1.2 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2."}], "id": "CVE-2026-22505", "lastModified": "2026-03-25T17:16:32.603", "metrics": {}, "published": "2026-03-25T17:16:32.603", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/morning-records/vulnerability/wordpress-morning-records-theme-1-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:24:10.792848+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Morning Records theme (\u22651.3) from AncoraThemes.", "If an upgrade is not feasible, deactivate or delete the Morning Records theme to eliminate the flaw.", "Ensure that any custom code or plugins do not expose unserialize calls to untrusted data."], "summary": {"action": "Immediate Patch", "impact": "Object Injection leading to Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the Morning Records theme version 1.2 and earlier. The theme is used on WordPress sites, so any site running an affected version is at risk. The vulnerability is present across the entire theme codebase and cannot be limited to a specific component.", "description_and_impact": "Morning Records, a WordPress theme provided by AncoraThemes, contains a deserialization flaw that permits untrusted data to create arbitrary PHP objects. This object injection weakness can lead to the execution of malicious code or manipulation of application logic. The vulnerability is classified as a PHP Object Injection (CWE\u2011502), allowing attackers to inject attacker\u2011controlled objects into the application flow.", "risk_and_exploitability": "Because no CVSS score is supplied and EPSS data is unavailable, the exact numerical severity cannot be quantified here. However, the ability to perform object injection typically grants attackers remote code execution or significant control over the affected WordPress instance. The vulnerability is not listed in CISA's KEV catalog, but the lack of a patch note suggests that it might still be actively exploited. The likely attack vector would involve sending crafted requests to the theme's endpoints that trigger data deserialization, which can be performed remotely via network access to the WordPress site."}}}}, "created": "2026-03-25T21:35:15.828032+00:00", "updated": "2026-03-25T21:35:15.828058+00:00", "vendors": []}