Description
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Object Injection
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from deserialization of untrusted data within the WooCommerce Infinite Scroll plugin. An attacker can inject a crafted serialized object that will be unserialized by the plugin, enabling arbitrary code execution on the host system. The resulting impact includes full compromise of the WordPress installation, allowing attackers to read, modify, or delete data, and possibly launch further attacks against the underlying web server.

Affected Systems

Affecting WordPress sites that run sbthemes' WooCommerce Infinite Scroll plugin version 1.6.2 or earlier. The issue exists from the earliest release through 1.6.2, so any site that has not upgraded beyond this version remains vulnerable.

Risk and Exploitability

The CVSS base score of 8.8 classifies the flaw as high severity, indicating a remote impact. EPSS estimates less than 1% chance of exploitation in the wild, and the flaw is not listed in CISA's KEV catalog. Likely attack vector is remote through HTTP requests targeting the plugin’s endpoints; however, the exact method is not detailed in the provided description, so this is inferred. The combination of high impact and low exploitation probability suggests that while the vulnerability is serious, the likelihood of finding an attacker with the specific knowledge to exploit it remains modest.

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WooCommerce Infinite Scroll to version 1.6.3 or later.

Generated by OpenCVE AI on March 26, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sbthemes
Sbthemes woocommerce Infinite Scroll
Wordpress
Wordpress wordpress
Vendors & Products Sbthemes
Sbthemes woocommerce Infinite Scroll
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.
Title WordPress WooCommerce Infinite Scroll plugin <= 1.6.2 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Sbthemes Woocommerce Infinite Scroll
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T15:15:33.424Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27045

cve-icon Vulnrichment

Updated: 2026-03-26T15:15:15.416Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:53.720

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:33Z

Weaknesses