What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.
Explanation of Vulnerability in Simple Terms
02Summary
The Au Pair Agency theme versions 1.2.2 and earlier contain a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code on the site. The vulnerability requires high attack complexity but no user interaction. An attacker can exploit this by sending a specially crafted request to deserialize untrusted data, leading to remote code execution.
What an attacker can do
03Attacker Capabilities
Run their own code on the site without authentication.
Potential impact on your site
04Site Impact
An attacker can take full control of your site, access all data, modify content, and install malware.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication required, but the attack requires specific technical conditions.
Key dates
06Disclosure timeline
March 5, 2026
CVE published
April 28, 2026
Record updated