Untrusted Data Can Be Injected into Handyman via Deserialization

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

Untrusted Data Can Be Injected into Handyman via Deserialization

CVE-2026-22451

Summary

The Handyman plugin for WordPress has a flaw that lets attackers inject malicious code into the system. This could allow hackers to gain unauthorized access to sensitive data or take control of the website. Update to a fixed version of Handyman to fix this issue.

Original title

Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.

Original description

Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://patchstack.com/database/Wordpress/Theme/handyman-services/vulnerability/...

Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026