Description
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Published: 2026-02-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated PHP Object Injection that can lead to arbitrary code execution
Action: Apply Patch Immediately
AI Analysis

Impact

The WP eCommerce WordPress plugin through version 3.15.1 unserializes untrusted user input via AJAX actions, enabling an attacker who does not need to authenticate to trigger PHP Object Injection whenever a compatible gadget is present on the site’s codebase; this flaw falls under CWE‑502 and can potentially allow the attacker to execute arbitrary logic on the server.

Affected Systems

WordPress sites running the WP eCommerce plugin version 3.15.1 or earlier are affected; the vulnerability resides in the plugin’s core code and requires the presence of a PHP gadget to fully exploit.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is unauthenticated and easy to trigger, but practical exploitation depends on a suitable gadget, which may limit real‑world risk. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 15, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP eCommerce plugin to the latest available version that removes the unserialize logic (any release newer than 3.15.1).
  • If an upgrade is not immediately possible, block or disable the AJAX endpoint that triggers the unserialization—this can be done via a web application firewall rule or by adding a restriction in the site’s .htaccess file.
  • As a temporary workaround, audit third‑party plugins or themes for deserialization gadgets and remove or replace any that provide them; ensure that any remaining code performing unserialize includes strict type checks and input validation.

Generated by OpenCVE AI on April 15, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp Ecommerce
Wp Ecommerce wp Ecommerce
Vendors & Products Wordpress
Wordpress wordpress
Wp Ecommerce
Wp Ecommerce wp Ecommerce

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Description The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Title WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection
References

Subscriptions

Wordpress Wordpress
Wp Ecommerce Wp Ecommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:57.069Z

Reserved: 2026-01-20T16:01:12.343Z

Link: CVE-2026-1235

cve-icon Vulnrichment

Updated: 2026-02-11T15:52:49.513Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T06:15:51.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1235

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses