{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22510", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.068Z", "datePublished": "2026-03-25T16:14:26.647Z", "dateUpdated": "2026-03-25T16:14:26.647Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "melodyschool", "product": "Melody", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.6.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:09.869Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.<p>This issue affects Melody: from n/a through <= 1.6.3.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:26.647Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/melodyschool/vulnerability/wordpress-melody-theme-1-6-3-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Melody theme <= 1.6.3 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3."}], "id": "CVE-2026-22510", "lastModified": "2026-03-25T17:16:33.273", "metrics": {}, "published": "2026-03-25T17:16:33.273", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/melodyschool/vulnerability/wordpress-melody-theme-1-6-3-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:50:37.951703+00:00", "value": {"mitigation_remediation": ["Update the Melody theme to a version newer than 1.6.3, or at least install the latest available patch from AncoraThemes.", "If an update is not possible, temporarily disable or remove the Melody theme from the WordPress installation to eliminate the vulnerability surface.", "Verify that no unauthorized code has been injected into WordPress files and monitor for suspicious activity until the theme is upgraded or removed."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution through PHP Object Injection"}, "threat_synthesis": {"affected_systems": "The issue affects the AncoraThemes Melody WordPress theme in all releases up to and including version 1.6.3. Users who have installed Melody 1.6.3 or earlier are vulnerable. The vulnerability does not appear to affect later theme versions.", "description_and_impact": "The vulnerability is a deserialization of untrusted data that allows PHP Object Injection. This weakness, classified as CWE-502, enables an attacker to manipulate object properties during deserialization, potentially leading to arbitrary code execution on the affected system. The impact is severe because an attacker can execute commands or load malicious code with the privileges of the web application.", "risk_and_exploitability": "The CVSS score is not listed, and there is no EPSS score available, but the nature of the flaw and the lack of mitigation make exploitation likely if an attacker can supply crafted data. The vulnerability is not yet catalogued in KEV. The likely attack vector is through any unvalidated input that triggers the PHP library\u2019s unserialize() function, such as form fields, URL parameters, or custom data structures that the theme accepts. An attacker could submit malicious payloads to gain remote code execution."}}}}, "created": "2026-03-25T21:35:10.356954+00:00", "updated": "2026-03-25T21:35:10.356985+00:00", "vendors": []}