CVE-2026-2020 - Vulnerability Details

- JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute

Description

The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Published: 2026-03-07

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a PHP Object Injection flaw caused by the deserialization of untrusted data supplied via the 'included' shortcode attribute in the JS Archive List plugin. An authenticated user with Contributor-level access can supply crafted input that yields a PHP object containing malicious properties. While the plugin itself does not provide a load-time execution vector, the presence of a separate plugin or theme that implements a PHP Object Retrieval (POP) chain would let the attacker delete or read files, or execute arbitrary code on the host.

Affected Systems

The affected product is the WordPress plugin JS Archive List from the vendor skatox. All released versions up to and including 6.1.7 are vulnerable. No other impacted versions are listed.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. The EPSS score of less than 1% suggests that exploitation is unlikely at this time, and the vulnerability is not currently in the CISA KEV catalog. Because the flaw requires authenticated access at the Contributor level, the attack surface is restricted to site administrators who have granted such permissions. An attacker would still need a complementary POP chain from another component to achieve remote code execution; otherwise, the impact remains limited to the flaws introduced by the vulnerability itself.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

skatox

JS Archive List

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.1.7

No data.

Vendor Product Confidence Versions

Skatox

Js Archive List

100%

Version	Status	Scheme	Platform
`[0,6.1.7]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an immediate patch by upgrading the JS Archive List plugin to the latest version that addresses the deserialization bug.
If updating is not feasible, remove or disable the 'included' shortcode attribute from all content or configure the plugin to enforce strict input validation or restrict the feature to trusted administrators only.
Conduct a review of all installed WordPress themes and plugins to identify any that provide PHP Object Retrieval or deserialization mechanisms, and patch or remove those components to eliminate possible POP chains.

Generated by OpenCVE AI on April 15, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00084.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-jq-archive-list-widget.php#L674
https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-js-archive-list-settings.php#L10
https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-jq-archive-list-widget.php#L674
https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-js-archive-list-settings.php#L10
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3466978%40jquery-archive-list-widget&new=3466978%40jquery-archive-list-widget&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c92-f24dbe2c2dbd?source=cve

History

Mon, 09 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Skatox Skatox js Archive List Wordpress Wordpress wordpress
Vendors & Products		Skatox Skatox js Archive List Wordpress Wordpress wordpress

Sat, 07 Mar 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title		JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute
Weaknesses		CWE-502
References		https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-jq-archive-list-widget.php#L674 https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-js-archive-list-settings.php#L10 https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-jq-archive-list-widget.php#L674 https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-js-archive-list-settings.php#L10 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3466978%40jquery-archive-list-widget&new=3466978%40jquery-archive-list-widget&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c92-f24dbe2c2dbd?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Skatox Js Archive List

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-07T01:21:22.744Z

Updated: 2026-04-08T17:11:12.134Z

Reserved: 2026-02-05T20:04:06.842Z

Link: CVE-2026-2020

Vulnrichment

Updated: 2026-03-09T19:07:39.753Z

NVD

Status : Deferred

Published: 2026-03-07T02:16:12.077

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-2020

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object