{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22480", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-03-25T16:14:22.428Z", "dateUpdated": "2026-03-25T16:14:22.428Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "webtoffee-product-feed", "product": "Product Feed for WooCommerce", "vendor": "WebToffee", "versions": [{"changes": [{"at": "2.3.4", "status": "unaffected"}], "lessThanOrEqual": "<= 2.3.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:04.185Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.<p>This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:22.428Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-3-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Product Feed for WooCommerce plugin <= 2.3.3 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3."}], "id": "CVE-2026-22480", "lastModified": "2026-03-25T17:16:30.650", "metrics": {}, "published": "2026-03-25T17:16:30.650", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-3-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.3.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Product Feed for WooCommerce", "source": "cna", "vendor": "WebToffee"}, "product": "product_feed_for_woocommerce", "vendor": "webtoffee"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:27:57.450392+00:00", "value": {"mitigation_remediation": ["Update the WebToffee Product Feed for WooCommerce plugin to the latest available version (any release newer than 2.3.3).", "If upgrading is not immediately feasible, disable the plugin to prevent exploitation.", "Monitor the site\u2019s logs for suspicious deserialization activity or unexpected object payloads.", "Apply general WordPress hardening practices such as restricting the \"wp-admin\" folder, using secure authentication, and keeping all core plugins and themes updated."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that run the WebToffee Product Feed for WooCommerce plugin version 2.3.3 or older are affected. The plugin integrates with WooCommerce and is installed on the WordPress plugin directory.", "description_and_impact": "Untrusted data is deserialized in the WebToffee Product Feed for WooCommerce plugin, which allows attackers to inject crafted PHP objects. This object injection can lead to remote code execution or arbitrary code manipulation on the affected WordPress site, compromising confidentiality, integrity, and availability of the web application.", "risk_and_exploitability": "The CVSS score and EPSS data are not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, given the nature of PHP object injection, the risk is high due to the potential for full code execution on the server. Based on the description, it is inferred that an attacker could exploit this weakness through the plugin\u2019s public or administrative interfaces, sending crafted payloads that create malicious objects during deserialization."}}}}, "created": "2026-03-25T21:35:29.689708+00:00", "updated": "2026-03-26T11:40:43.609434+00:00", "vendors": ["webtoffee", "webtoffee$PRODUCT$product_feed_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}