Skip to main content

Beelove CVE-2026-22507

| EUVD-2026-15515 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-03-25 Patchstack GHSA-9w9w-5j2r-h785
Deserialization Beelove
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15515
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6.

AnalysisAI

A PHP Object Injection vulnerability exists in AncoraThemes Beelove WordPress theme through version 1.2.6, allowing attackers to inject and deserialize untrusted objects. This insecure deserialization flaw (CWE-502) enables object injection attacks that could lead to remote code execution or other malicious actions depending on available gadget chains in the WordPress environment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious serialized object payload
Exploit
Trigger unsafe deserialization in Beelove
Execution
Instantiate arbitrary PHP object
Impact
Execute remote code with WordPress privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Remote unauthenticated attacker can exploit AncoraThemes Beelove plugin versions <= 1.2.6 through deserialization of untrusted data. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk assessment is constrained by missing CVSS and EPSS data, limiting quantitative analysis. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious serialized PHP object targeting known gadget chains in WordPress core or installed plugins, embedding it in a POST request or cookie directed at the Beelove theme's vulnerable deserialization endpoint. Upon deserialization, the gadget chain is triggered, potentially leading to arbitrary file write, database modification, or remote code execution depending on available classes. …
Remediation Update the AncoraThemes Beelove theme immediately to a version newer than 1.2.6 once a patch is released by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22507 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy