Description
The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcode_check function within the Live Composer compatibility layer. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Note: This vulnerability requires the Live Composer plugin to also be installed and active.
Published: 2026-02-18
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via PHP Object Injection
Action: Apply Patch
AI Analysis

Impact

The Advanced AJAX Product Filters plugin contains a PHP Object Injection flaw in its Live Composer compatibility layer. The deserialization routine accepts untrusted data from the shortcode_check function, allowing an attacker with Author or higher privileges to inject a crafted PHP object. Although the plugin itself has no known vulnerable object payloads, once combined with another plugin or theme that supplies a vulnerable object (a POP chain), the attacker could delete files, read sensitive data, or execute arbitrary code. Therefore the flaw is meaningful only in environments that also host a POP-capable plugin or theme.

Affected Systems

WordPress sites running Advanced AJAX Product Filters version 3.1.9.6 or older and with the Live Composer plugin installed. The attacker must also possess Author-level or higher permissions on the WordPress site. No specific WordPress core versions are affected by the code change.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating high severity, but its EPSS is less than 1%, suggesting exploitation is unlikely at present. It is not listed in the CISA KEV catalog. The attack vector requires authenticated access at Author level, so a site with many such users expands the risk surface. The risk to confidentiality, integrity, and availability becomes significant only when a POP chain resides on the same installation. Without such a chain, the flaw alone does not allow code execution or privilege escalation.

Generated by OpenCVE AI on April 15, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Advanced AJAX Product Filters to the latest version (3.1.9.7 or newer).
  • If the Live Composer plugin is not required, disable or uninstall it to eliminate the required component for the injection.
  • Audit other plugins and themes for known Pop chains and patch or remove any that could be exploited.

Generated by OpenCVE AI on April 15, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Berocket
Berocket advanced Ajax Product Filters
Wordpress
Wordpress wordpress
Vendors & Products Berocket
Berocket advanced Ajax Product Filters
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcode_check function within the Live Composer compatibility layer. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Note: This vulnerability requires the Live Composer plugin to also be installed and active.
Title Advanced AJAX Product Filters <= 3.1.9.6 - Authenticated (Author+) PHP Object Injection via Live Composer Compatibility
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Berocket Advanced Ajax Product Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:24.139Z

Reserved: 2026-01-26T04:38:10.519Z

Link: CVE-2026-1426

cve-icon Vulnrichment

Updated: 2026-02-18T14:48:04.474Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T15:18:41.023

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses