Description
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2026-05-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Boost plugin for WordPress allows unauthenticated PHP Object Injection via deserialization of the STYXKEY-BOOST_USER_LOCATION cookie. This flaw maps to CWE‑502, permitting an attacker to create an arbitrary PHP object that will be unserialized by the plugin. The vulnerability alone does not provide a functional path for exploitation because the plugin does not contain a vulnerable PHP object popping chain, so there is no direct impact unless a second plugin or theme offers a POP chain.

Affected Systems

WordPress sites that have the Boost plugin from PixelYourSite with a version of 2.0.3 or earlier are affected. The flaw is triggered by a client-provided cookie, so any domain serving the plugin at an outdated version is potentially exposed.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, though the EPSS score is not reported. The vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated and web-based; an attacker can send a crafted cookie to any visitor of the vulnerable site. If the site also has a POP chain plugin or theme, the attacker could delete files, retrieve sensitive data, or execute arbitrary code. In environments without such a POP chain, the risk is lower, but the high score and potential for compounded exploitation still warrant immediate attention.

Generated by OpenCVE AI on May 20, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Boost plugin to the latest version (≥2.0.4).
  • Remove or update any WordPress plugins or themes that contain a PHP Object Injection Pop‑Chain.
  • Block or sanitize the STYXKEY-BOOST_USER_LOCATION cookie to prevent malicious payloads.

Generated by OpenCVE AI on May 20, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Pixelyoursite
Pixelyoursite boost
Wordpress
Wordpress wordpress
Vendors & Products Pixelyoursite
Pixelyoursite boost
Wordpress
Wordpress wordpress

Wed, 20 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pixelyoursite Boost
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T12:47:24.288Z

Reserved: 2026-05-01T15:30:51.110Z

Link: CVE-2026-7637

cve-icon Vulnrichment

Updated: 2026-05-20T12:47:21.001Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T04:16:56.747

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-7637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:05Z

Weaknesses