Description
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the Morning Records WordPress theme introduces a PHP Object Injection vulnerability. When an attacker can supply crafted serialized payloads, the theme’s deserialization routine may instantiate objects with attacker‑controlled properties, allowing the execution of arbitrary code. The flaw arises from the theme handling of serialized input without validation, creating a path for remote code execution or code injection.

Affected Systems

All WordPress installations that use the AncoraThemes Morning Records theme in version 1.2 or earlier are impacted. Versions older than the first release are also affected. Sites that have upgraded beyond 1.2 are not vulnerable to this specific flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity, while the EPSS score is below 1%, suggesting a low likelihood of active exploitation. It is not listed in the CISA KEV catalog, meaning there are no confirmed large‑scale attacks reported. The likely attack vector is remote, via any input path that the theme processes, such as form submissions, URL parameters, or API calls, where a crafted serialized payload can be injected. Successful exploitation would grant the attacker remote code execution capabilities, compromising confidentiality, integrity, and availability of the affected site.

Generated by OpenCVE AI on March 26, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Morning Records theme to the latest available version (≥ 1.3) to remove the deserialization flaw.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the Morning Records theme to eliminate the attack surface.
  • Apply any security updates for WordPress core, plugins, and remaining themes promptly to reduce exposure to similar vulnerabilities.

Generated by OpenCVE AI on March 26, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes morning Records
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes morning Records
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.
Title WordPress Morning Records theme <= 1.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Ancorathemes Morning Records
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:57:49.012Z

Reserved: 2026-01-07T13:44:36.067Z

Link: CVE-2026-22505

cve-icon Vulnrichment

Updated: 2026-03-26T15:57:45.816Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:32.603

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:44Z

Weaknesses