Description
Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through <= 6.1.7.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The flaw is a deserialization of untrusted data that permits object injection, allowing an attacker to build a malicious payload that is processed by the plugin and results in arbitrary code execution on a WordPress site. This falls under CWE‑502 and can give an attacker full control of the website, enabling content manipulation, malware installation, or data exfiltration.

Affected Systems

The vulnerability affects the JS Archive List plugin for WordPress, developed by Miguel Useche – jquery-archive-list-widget. All versions up to and including 6.1.7 are vulnerable, so any WordPress site running those releases is at risk.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is rated high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is via web traffic that delivers serialized input to the plugin, such as an admin impersonation or a crafted request to a plugin endpoint. Successful exploitation would provide remote code execution, making the vulnerability particularly dangerous for exposed WordPress sites that have not upgraded.

Generated by OpenCVE AI on March 25, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JS Archive List plugin to version 6.1.8 or later.
  • If an upgrade is not immediately possible, disable or remove the plugin to eliminate the attack surface.
  • Verify that no dependent functionality relies on the removed plugin before disabling it.
  • Monitor site logs for any signs of deserialization or code execution attempts after the fix.

Generated by OpenCVE AI on March 25, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Miguel Useche
Miguel Useche js Archive List
Wordpress
Wordpress wordpress
Vendors & Products Miguel Useche
Miguel Useche js Archive List
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through <= 6.1.7.
Title WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Miguel Useche Js Archive List
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:15:20.942Z

Reserved: 2026-03-12T11:12:13.806Z

Link: CVE-2026-32513

cve-icon Vulnrichment

Updated: 2026-03-25T20:15:10.682Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:17:03.683

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:28Z

Weaknesses