Description
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2026-05-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 1.8 because the import_settings function deserializes untrusted data from the 'settings' parameter without checking user capabilities. This flaw can allow an authenticated user with Subscriber-level access or higher to inject a PHP object. While the plugin itself contains no proven POP chain, the existence of a POP chain elsewhere on the site could let the attacker delete files, read sensitive data or execute arbitrary code, effectively compromising the application.

Affected Systems

The vulnerability affects the sbthemes WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress. All released versions up to 1.8 are vulnerable. Customers using versions 1.8 or earlier with WordPress sites that allow Subscriber or higher level users to use the import configuration feature are at risk.

Risk and Exploitability

The CVSS base score of 8.8 marks this flaw as high severity. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified, but the flaw requires an authenticated user, limiting the attack surface. The vulnerability is not yet listed in CISA KEV, but the potential of code execution via an existing POP chain makes it a serious threat. Exploitability would involve uploading a maliciously crafted import file exploiting the deserialization in import_settings and then leveraging any available POP chain on the target system.

Generated by OpenCVE AI on May 29, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 1.9 or later (or the latest available release) to remove the vulnerable deserialization code.
  • If an update is not available or delayed, revoke or downgrade Subscriber-level accounts that have access to the import settings feature, or remove the import configuration capability from those roles so that only administrators can use it.
  • As a temporary measure, disable or remove the import_settings functionality entirely by editing the plugin files or using a site‑wide blocklist, and monitor the site for any other extensions or themes that could provide a POP chain.

Generated by OpenCVE AI on May 29, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Sbthemes
Sbthemes woocommerce Infinite Scroll And Ajax Pagination
Wordpress
Wordpress wordpress
Vendors & Products Sbthemes
Sbthemes woocommerce Infinite Scroll And Ajax Pagination
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sbthemes Woocommerce Infinite Scroll And Ajax Pagination
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:06:43.473Z

Reserved: 2025-10-20T20:07:27.819Z

Link: CVE-2025-11993

cve-icon Vulnrichment

Updated: 2026-05-29T10:06:38.969Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T07:16:13.730

Modified: 2026-05-29T13:09:05.450

Link: CVE-2025-11993

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:33Z

Weaknesses