{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22417", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:01.195Z", "datePublished": "2026-03-05T05:53:37.223Z", "dateUpdated": "2026-04-28T17:07:53.950Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "grandwedding", "product": "Grand Wedding", "vendor": "ThemeGoods", "versions": [{"changes": [{"at": "3.1.11", "status": "unaffected"}], "lessThanOrEqual": "3.1.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:09.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.<p>This issue affects Grand Wedding: from n/a through < 3.1.11.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.595Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandwedding/vulnerability/wordpress-grand-wedding-theme-3-1-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Grand Wedding theme < 3.1.11 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T16:45:44.858470Z", "id": "CVE-2026-22417", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:07:53.950Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22417", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:01.195Z", "datePublished": "2026-03-05T05:53:37.223Z", "dateUpdated": "2026-04-28T17:07:53.950Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "grandwedding", "product": "Grand Wedding", "vendor": "ThemeGoods", "versions": [{"changes": [{"at": "3.1.11", "status": "unaffected"}], "lessThanOrEqual": "3.1.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:09.421Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.<p>This issue affects Grand Wedding: from n/a through < 3.1.11.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.595Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/grandwedding/vulnerability/wordpress-grand-wedding-theme-3-1-0-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Grand Wedding theme < 3.1.11 - PHP Object Injection vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22417", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T16:45:44.858470Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T16:45:36.566Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en ThemeGoods Grand Wedding grandwedding permite la inyecci\u00f3n de objetos. Este problema afecta a Grand Wedding: desde n/a hasta &lt;= 3.1.0."}], "id": "CVE-2026-22417", "lastModified": "2026-04-28T19:36:35.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-05T06:16:15.590", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/grandwedding/vulnerability/wordpress-grand-wedding-theme-3-1-0-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "grand_wedding", "vendor": "themegoods"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:33:17.886301+00:00", "value": {"mitigation_remediation": ["Upgrade the Grand Wedding theme to the latest available release that removes the vulnerable deserialization logic.", "If an update is not possible, deactivate or delete the Grand Wedding theme to stop loading the vulnerable code.", "Configure the web server or file system to grant only read permissions to the theme directory, preventing accidental execution of malicious code from that location."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects ThemeGoods\u2019 Grand Wedding WordPress theme versions up to 3.1.10 inclusive. Any site that has installed or is still using a version at or below 3.1.10 is potentially exposed. No other vendors or products are listed as impacted.", "description_and_impact": "Deserialization of untrusted data within the Grand Wedding theme allows an attacker to inject crafted PHP objects. Such object injection enables the execution of arbitrary code on the server, potentially compromising the entire WordPress installation. The flaw is a classic insecure deserialization vulnerability classified as CWE\u2011502, posing a severe risk to confidentiality, integrity, and availability.", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is considered High severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present, and the issue is not listed in the CISA KEV catalog. However, the flaw can be abused through standard web requests to the WordPress site, where the theme processes serialized data. Attackers would need to supply a malicious payload via any input that the theme accepts, so the main vector is the web application itself rather than external network services."}}}}, "created": "2026-03-06T15:14:34.260550+00:00", "updated": "2026-04-28T17:45:16.118439+00:00", "vendors": ["themegoods", "themegoods$PRODUCT$grand_wedding", "wordpress", "wordpress$PRODUCT$wordpress"]}