CVE-2026-27098 HIGH

CVE-2026-27098: WordPress Au Pair Agency - Babysitting & Nanny Theme theme <= 1.2.2 - Deserialization of untrusted data vulnerability

Vendor Axiomthemes
Product Au Pair Agency - Babysitting & Nanny Theme
Weakness CWE-502 · Unsafe deserialization
Published March 5, 2026
Last update April 28, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.

Explanation of Vulnerability in Simple Terms

02Summary

The Au Pair Agency theme versions 1.2.2 and earlier contain a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code on the site. The vulnerability requires high attack complexity but no user interaction. An attacker can exploit this by sending a specially crafted request to deserialize untrusted data, leading to remote code execution.

What an attacker can do

03Attacker Capabilities

Run their own code on the site without authentication.

Potential impact on your site

04Site Impact

An attacker can take full control of your site, access all data, modify content, and install malware.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication required, but the attack requires specific technical conditions.

Key dates

06Disclosure timeline

March 5, 2026 CVE published
April 28, 2026 Record updated