{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27045", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-25T16:14:52.853Z", "dateUpdated": "2026-03-25T16:14:52.853Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "sb-woocommerce-infinite-scroll", "product": "WooCommerce Infinite Scroll", "vendor": "sbthemes", "versions": [{"lessThanOrEqual": "<= 1.6.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:31.771Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.<p>This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:52.853Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress WooCommerce Infinite Scroll plugin <= 1.6.2 - PHP Object Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2."}], "id": "CVE-2026-27045", "lastModified": "2026-03-25T17:16:53.720", "metrics": {}, "published": "2026-03-25T17:16:53.720", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:27:33.112578+00:00", "value": {"mitigation_remediation": ["Update the WooCommerce Infinite Scroll plugin to a version newer than 1.6.2.", "If an update is not immediately available, deactivate or disable the plugin to remove the vulnerability surface."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via PHP Object Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the WooCommerce Infinite Scroll plugin developed by sbthemes. All releases from the earliest available version up to and including version 1.6.2 are impacted. Any WordPress installation that has this plugin installed within that version range is at risk.", "description_and_impact": "The vulnerability involves deserialization of untrusted data within the WooCommerce Infinite Scroll plugin. This allows malicious input to create arbitrary PHP objects during execution. While the description does not explicitly state the resulting effect, deserialization flaws that enable object injection are commonly associated with remote code execution. An attacker could potentially gain control over the application, exfiltrate data, or alter site functionality.", "risk_and_exploitability": "No CVSS score is provided, but the presence of object injection typically indicates high severity. EPSS data is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote, originating from user\u2011supplied input such as GET, POST, or cookie data, because the plugin processes serialized data from external sources."}}}}, "created": "2026-03-25T21:44:11.581641+00:00", "updated": "2026-03-25T21:44:11.581676+00:00", "vendors": []}