Description
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2026-01-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: PHP Object Injection with potential code execution when a POP chain is present
Action: Assess and Patch
AI Analysis

Impact

The Nexter Extension – Site Enhancements Toolkit plugin for WordPress allows unauthenticated attackers to inject arbitrary PHP objects through the 'nxt_unserialize_replace' function via deserialization of untrusted input. This flaw is a classic PHP Object Injection that uses CWE‑502, which can lead to data leakage, file manipulation, or code execution if a suitable PHP Object Persistence (POP) chain exists elsewhere on the site. The vulnerability alone does not provide a direct attack path, but its presence can be leveraged in conjunction with other plugins or themes that contain exploitable POP chains.

Affected Systems

WordPress sites running the posimyththemes Nexter Extension – Site Enhancements Toolkit plugin, version 4.4.6 or earlier, are affected. All releases up to and including 4.4.6 contain the vulnerable 'nxt_unserialize_replace' implementation.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, though the EPSS score is below 1% and the flaw is not listed in the CISA KEV catalog, suggesting low likelihood of widespread exploitation. Attackers would need to craft serialized payloads and send them to the plugin’s endpoint without authentication, then rely on a POP chain supplied by another plugin or theme. If such a chain is present, the attacker could delete files, read sensitive data, or execute arbitrary code. Without a POP chain, the vulnerability remains non-exploitable on its own.

Generated by OpenCVE AI on April 15, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nexter Extension to version 4.4.7 or later to remove the vulnerable deserialization routine.
  • If an upgrade cannot be performed immediately, deactivate the plugin until the update is applied or the plugin is removed entirely.
  • Audit the WordPress installation for additional plugins or themes that provide PHP object persistence chains; update or remove any that pose a risk, and consider disabling unserialize handling in custom code where possible.

Generated by OpenCVE AI on April 15, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Nexter Extension – Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace'
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T15:07:20.489Z

Reserved: 2026-01-08T14:09:33.636Z

Link: CVE-2026-0726

cve-icon Vulnrichment

Updated: 2026-01-20T14:54:30.862Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T15:20:07.613

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses