Description
Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Product Filters plugin for WordPress includes a PHP Object Injection flaw in versions older than 2.0.6. This weakness allows a hostile input containing a serialized PHP object to be processed without authentication or input validation. When such an object is deserialized, arbitrary PHP objects can be instantiated and their constructor or magic methods may be invoked, ultimately enabling the attacker to execute arbitrary code within the web application’s context. The vulnerability is classified under CWE-502, indicating improper deserialization handling.

Affected Systems

Every WordPress site that has the WooCommerce Product Filters plugin from Barn2 Media Ltd installed at a version earlier than 2.0.6 is impacted. The flaw resides solely within the plugin, so WordPress core and other plugins are not directly affected. Sites that rely on the plugin for product filtering are therefore exposed.

Risk and Exploitability

The CVSS score of 9.8 denotes critical severity, and the EPSS score is not available, leaving the precise probability of exploitation unknown but potentially high. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an unauthenticated attacker can send a crafted serialized object to one of the plugin’s input endpoints via an HTTP request. Because the plugin processes the payload without authentication or integrity checks, the attacker can achieve full control over PHP object creation and method invocation, enabling remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Remediation

Vendor Solution

Update the WordPress WooCommerce Product Filters Plugin to the latest available version (at least 2.0.6).


OpenCVE Recommended Actions

  • Update the WooCommerce Product Filters plugin to at least version 2.0.6.
  • Disable or uninstall the vulnerable plugin on all production instances until the update is applied.
  • Apply input validation to restrict deserialization to trusted data sources, review the plugin code for similar weaknesses, and consider deploying a web application firewall to block malicious payloads.

Generated by OpenCVE AI on June 18, 2026 at 14:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Barn2 Media Ltd
Barn2 Media Ltd woocommerce Product Filters
Wordpress
Wordpress wordpress
Vendors & Products Barn2 Media Ltd
Barn2 Media Ltd woocommerce Product Filters
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.
Title WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Barn2 Media Ltd Woocommerce Product Filters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:08.810Z

Reserved: 2026-04-15T09:19:20.453Z

Link: CVE-2026-40725

cve-icon Vulnrichment

Updated: 2026-06-17T13:43:22.774Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:19Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data