Summaryinfo

A vulnerability classified as critical was found in AncoraThemes Melody Plugin up to 1.6.3 on WordPress. This vulnerability affects unknown code. Executing a manipulation can lead to deserialization. This vulnerability is registered as CVE-2026-22510. It is possible to launch the attack remotely. No exploit is available.

Detailsinfo

A vulnerability has been found in AncoraThemes Melody Plugin up to 1.6.3 on WordPress and classified as critical. This vulnerability affects an unknown function. The manipulation with an unknown input leads to a deserialization vulnerability. The CWE definition for the vulnerability is CWE-502. The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.

The weakness was published by Tran Nguyen Bao Khanh. The advisory is available at patchstack.com. This vulnerability was named CVE-2026-22510 since 01/07/2026. The exploitation appears to be easy. The attack can be initiated remotely. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $0-$5k at the moment (estimation calculated on 03/31/2026).

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• WordPress Plugin

Vendor

• AncoraThemes

Name

• Melody Plugin

Version

• 1.6.0
• 1.6.1
• 1.6.2
• 1.6.3

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion