{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22507", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.067Z", "datePublished": "2026-03-25T16:14:25.846Z", "dateUpdated": "2026-03-25T16:14:25.846Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "beelove", "product": "Beelove", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.2.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:09.033Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.<p>This issue affects Beelove: from n/a through <= 1.2.6.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:25.846Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/beelove/vulnerability/wordpress-beelove-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Beelove theme <= 1.2.6 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6."}], "id": "CVE-2026-22507", "lastModified": "2026-03-25T17:16:32.870", "metrics": {}, "published": "2026-03-25T17:16:32.870", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/beelove/vulnerability/wordpress-beelove-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:54:27.508800+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Beelove theme released by AncoraThemes.", "If no newer version is available, deactivate the Beelove theme or switch to a different secure theme.", "Remove the vulnerable Beelove files from the WordPress installation.", "Restrict deserialized data so that only trusted sources are processed, or disable functionality that accepts serialized input from untrusted users.", "Monitor web and server logs for abnormal activity or signs of deserialization attempts.", "Keep WordPress core and all plugins up to date to reduce overall attack surface."], "summary": {"action": "Update theme", "impact": "Remote code execution via PHP object injection"}, "threat_synthesis": {"affected_systems": "All sites using AncoraThemes Beelove version 1.2.6 or earlier are affected. The issue applies to every release from the initial launch up to and including 1.2.6 on WordPress installations that employ this theme.", "description_and_impact": "The AncoraThemes Beelove WordPress theme contains an untrusted deserialization flaw that allows PHP object injection. When the theme processes serialized user input, attacker\u2011controlled data can instantiate PHP objects, potentially leading to arbitrary code execution. This weakness compromises confidentiality, integrity, and availability and is classified as CWE\u2011502.", "risk_and_exploitability": "Formal CVSS and EPSS scores are not published, so the exact severity and likelihood cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw remotely by sending crafted serialized data through a specially crafted request, such as a URL parameter, form field, or cookie, that the theme processes. Until the theme is updated or the deserialization vector is removed, the overall risk remains significant."}}}}, "created": "2026-03-25T21:35:13.241541+00:00", "updated": "2026-03-25T21:35:13.241609+00:00", "vendors": []}