CVE-2026-22384

CVE-2026-22384 describes a deserialization vulnerability in the WordPress plugin Applay - Shortcodes (versions up to and including 3.7) that enables PHP Object Injection via untrusted data. The WP-exposed issue is associated with the leafcolor Applay - Shortcodes code path and is rated CRITICAL (...

CVE-2026-22354

Summary of CVE-2026-22354 (WordPress WooCommerce Banner Management plugin <= 2.5.1): The issue is a PHP object injection due to deserialization of untrusted data in the Banner Management for WooCommerce component. Affected product/version: Banner Management, Product Slider & Carousel for WooCo...

CVE-2026-22354 WordPress Woocommerce Category Banner Management plugin <= 2.5.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce allows Object Injection.This issue affects Woocommerce Category Banner Management: from n/a through = 2.5.1...

CVE-2026-22346

CVE-2026-22346 refers to a deserialization of untrusted data (PHP Object Injection) in the WordPress plugin Slider Responsive Slideshow – Image slider, Gallery slideshow (versions up to and including 1.5.4). Multiple sources confirm the vulnerability and its impact, with Red Hat, NVD, CVE lists, ...

CVE-2026-22345

CVE-2026-22345 stems from a deserialization/ object-injection flaw in the WordPress plugin family Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery (component: new-image-gallery). The Red Hat/NVD entries and PatchStack corroborate that versions up to and including 1.6.0 ...

CVE-2025-69404 WordPress Extreme Store theme <= 1.5.10 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through = 1.5.10...

CVE-2025-69370

CVE-2025-69370: PHP Object Injection in WordPress Capella theme (Capella

CVE-2025-69372 WordPress SevenHills theme <= 1.6.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through = 1.6.2...

CVE-2025-69329 WordPress Prestige theme < 1.4.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through 1.4.1...

CVE-2025-69329

Deserialization of Untrusted Data in WordPress Theme Prestige (CVE-2025-69329) affects Prestige versions prior to 1.4.1. The issue enables PHP object injection via untrusted data deserialization, with assessed impact described as high confidentiality/integrity/availability concerns. Mitigation: u...

CVE-2025-69294

CVE-2025-69294 affects the PeakShops WordPress theme (PeakShops) with PHP Object Injection via deserialization of untrusted data. Affected product/version: PeakShops theme up to and including 1.5.9 (n/a through 1.5.9). Root cause: deserialization of untrusted data leading to object injection. Doc...

CVE-2025-68853 WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through = 9.1.1...

CVE-2025-68541

CVE-2025-68541 affects WordPress theme Ippsum up to version 1.2.0, describing a deserialization (PHP object injection) vulnerability. Wordfence and Patchstack corroborate the issue and indicate remediation is to update to a newer version (post-1.2.0). The CVSS metrics in the base entry show overa...

CVE-2025-68531 WordPress ModelTheme Addons for WPBakery and Elementor plugin < 1.5.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through 1.5.6...

CVE-2025-67997 WordPress Travelicious theme < 1.6.7 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through 1.6.7...

CVE-2025-67997

Travelicious theme (WordPress) ≤ 1.6.6 is affected by a Deserialization of Untrusted Data PHP Object Injection vulnerability due to object deserialization in Travelicious (Travelicious) that allows unauthenticated exploitation. Affected software: Travelicious: from n/a through

CVE-2025-67996 WordPress Nestin theme < 1.2.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through 1.2.6...

CVE-2025-67996 WordPress Nestin theme < 1.2.6 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through 1.2.6...

openITCOCKPIT 代码问题漏洞

openITCOCKPIT is an open-source system monitoring software. Versions of openITCOCKPIT 5.3.1 and earlier have code vulnerabilities. These vulnerabilities stem from insecure deserialization points in the Gearman worker implementation, which may lead to PHP object injection attacks...

GHSA-V7M3-FPCR-H7M2 Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize()

Description The zumba/json-serializer library allows deserialization of PHP objects from JSON using a special @type field. Prior to version 3.2.3, the deserializer would instantiate any class specified in the @type field without restriction. When processing untrusted JSON input, this behavior may...