Description
Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.
Published: 2026-03-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a deserialization of untrusted data flaw that permits PHP object injection. An attacker can supply crafted serialized payloads that are parsed by the Secudeal Payments for Ecommerce plugin, allowing arbitrary PHP objects to be instantiated. This can lead to remote code execution if the injected objects trigger destructive or malicious behavior. The impact is therefore the potential loss of control over the affected server, modification of site files, and exposure of sensitive data.

Affected Systems

The plugin is distributed by maximsecudeal under the name Secudeal Payments for Ecommerce. All installations running version 1.1 or earlier are affected. This includes WordPress sites that have the plugin installed with any version equal to or less than 1.1.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity class. The EPSS of less than 1% shows the likely immediate likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker would need to inject serialized input through a plugin‑provided interface or the WordPress admin area. While no proof‑of‑concept or public exploit is available, the mechanism gives an attacker the ability to execute arbitrary code if the platform permits.

Generated by OpenCVE AI on April 16, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Secudeal Payments for Ecommerce plugin to the latest available version (≥1.2 or newer).
  • If an upgrade is not immediately possible, disable or uninstall the plugin entirely to eliminate the vulnerable code path.
  • Configure the plugin or WordPress environment to whitelist acceptable classes for deserialization and block magic methods such as __wakeup and __destruct, or apply input filtering that rejects serialized payloads before processing.

Generated by OpenCVE AI on April 16, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Maximsecudeal
Maximsecudeal secudeal Payments For Ecommerce
Wordpress
Wordpress wordpress
Vendors & Products Maximsecudeal
Maximsecudeal secudeal Payments For Ecommerce
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.
Title WordPress Secudeal Payments for Ecommerce plugin <= 1.1 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Maximsecudeal Secudeal Payments For Ecommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:58.333Z

Reserved: 2026-01-07T13:44:06.688Z

Link: CVE-2026-22471

cve-icon Vulnrichment

Updated: 2026-03-10T13:37:18.533Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:20.777

Modified: 2026-03-10T18:18:11.713

Link: CVE-2026-22471

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses