Description
Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0.
Published: 2026-02-19
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via object injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows deserialization of untrusted data within the YITHEMES YITH WooCommerce Compare plugin, resulting in object injection that can lead to arbitrary code execution. An attacker could potentially compromise the website’s confidentiality, integrity, and availability by triggering the deserialization process and causing malicious objects to be instantiated and executed on the server.

Affected Systems

Affects the YITHEMES YITH WooCommerce Compare WordPress plugin version 3.6.0 and all earlier releases. Users who have installed this plugin on their WordPress sites are at risk until they upgrade beyond the 3.6.0 threshold.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% reflects a low probability of real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector would involve an attacker sending crafted serialized data to the plugin—potentially through a web request or an administrative interface—triggering the vulnerable deserialization routine. Based on the description, it is inferred that exploitation may require authenticated access with administrative privileges, but the flaw could also be leveraged by unauthenticated users if the plugin accepts external input from such users.

Generated by OpenCVE AI on April 16, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the YITH WooCommerce Compare plugin to the latest version that removes the deserialization logic (at least version 3.6.1).
  • If an update cannot be applied immediately, temporarily disable the plugin or place the WordPress site into maintenance mode to prevent exploitation of the deserialization flaw.
  • Modify the plugin’s deserialization handling to validate object types against a strict whitelist before execution, ensuring only trusted classes are instantiated from input data.

Generated by OpenCVE AI on April 16, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yithemes
Yithemes yith Woocommerce Compare
Vendors & Products Wordpress
Wordpress wordpress
Yithemes
Yithemes yith Woocommerce Compare

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0.
Title WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References

Subscriptions

Wordpress Wordpress
Yithemes Yith Woocommerce Compare
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:46:37.968Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22333

cve-icon Vulnrichment

Updated: 2026-02-24T20:52:20.873Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:11.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses