Description
Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from the Melody theme's deserialization of untrusted data. Attackers can craft serialized PHP objects that, when processed by the theme, cause arbitrary object injection. The flaw qualifies as PHP Object Injection and maps to CWE‑502. If exploited, it can lead to remote code execution, allowing an attacker to compromise the entire WordPress site, exfiltrate data, modify files, or disrupt availability.

Affected Systems

The Melody theme by AncoraThemes, in any WordPress site that installed any release up to version 1.6.3, is affected. The vulnerability is present in all versions from the first release through 1.6.3. No specific minor patch or version detail beyond the ≤ 1.6.3 boundary is supplied.

Risk and Exploitability

The CVSS score of 8.1 denotes high severity, while an EPSS score below 1 % indicates that the exploit probability is currently low. The vulnerability is not listed in the CISA KEV catalog, implying no widespread attacks have been observed yet. The attack vector appears to be supply of malicious serialized data via any WordPress endpoint that the Melody theme processes, which is inferred from the description; explicit exploitation instructions are not provided in the data. Nonetheless, because the flaw permits arbitrary code execution, urgent patching is recommended.

Generated by OpenCVE AI on March 26, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Melody theme to a patched version that eliminates the deserialization issue.
  • If no patch is immediately available, deactivate the Melody theme or switch to a different theme to prevent the vulnerable code from executing.
  • Verify that the site is no longer processing serialized data from untrusted sources by reviewing application logs and testing functionality.
  • Regularly monitor for signs of exploitation, such as unexpected file creation or execution errors.

Generated by OpenCVE AI on March 26, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes melody
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes melody
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.
Title WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Ancorathemes Melody
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:57:26.686Z

Reserved: 2026-01-07T13:44:36.068Z

Link: CVE-2026-22510

cve-icon Vulnrichment

Updated: 2026-03-26T15:57:23.800Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:33.273

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:39Z

Weaknesses