Skip to main content

WooCommerce Infinite Scroll CVE-2025-11993

| EUVD-2025-209981 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-05-29 Wordfence GHSA-88pw-x8mv-5vj5
PHP Information Disclosure WordPress Deserialization
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 06:44 vuln.today
CVE Published
May 29, 2026 - 05:32 nvd
HIGH 8.8

DescriptionCVE.org

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code.

AnalysisAI

Authenticated PHP Object Injection in the WooCommerce Infinite Scroll and Ajax Pagination WordPress plugin (versions up to and including 1.8) allows Subscriber-level users to deserialize attacker-controlled data via the 'settings' parameter of the import_settings function. While the plugin itself contains no usable POP chain, the presence of any vulnerable gadget in another installed plugin or theme can escalate this into arbitrary file deletion, sensitive data disclosure, or remote code execution. There is no public exploit identified at time of analysis, but the low privilege barrier and ubiquity of WordPress gadget chains make this a meaningful risk for multi-plugin sites.

Technical ContextAI

The vulnerability stems from CWE-502 (Deserialization of Untrusted Data) in the import/export configuration handler of an sbthemes-developed WordPress plugin marketed through CodeCanyon (CPE: cpe:2.3:a:sbthemes:woocommerce_infinite_scroll_and_ajax_pagination). PHP Object Injection arises when user-supplied input is passed to PHP's unserialize() without sanitization or capability gating; in this case the import_settings function lacks both a capability check (so any logged-in user with Subscriber role can invoke it) and any allowlist of expected object types. Because WordPress sites typically run dozens of plugins and themes sharing the same PHP process, a 'POP' (Property-Oriented Programming) gadget chain present anywhere in that shared codebase - even in an unrelated plugin - can be triggered through this sink to reach dangerous methods such as __destruct, __wakeup, or __toString.

RemediationAI

No vendor-released patch identified at time of analysis - the Wordfence advisory and CodeCanyon listing do not document a fixed version above 1.8. Administrators should monitor the CodeCanyon product page (https://codecanyon.net/item/woocommerce-infinite-scroll-and-ajax-pagination/10192075) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eb3ec8-0784-4702-86bf-a621b288e7a0?source=cve) for an update and apply it as soon as it is released. In the interim, the most effective compensating controls are to deactivate and remove the plugin until a fix ships (trade-off: loss of infinite-scroll/pagination UX on store pages); disable open user registration on the WordPress site or restrict the default registration role away from Subscriber to break the PR:L precondition (trade-off: blocks legitimate customer self-signup on WooCommerce stores); and add a WAF rule to block POST requests targeting the import_settings action/endpoint, or to reject requests where the 'settings' parameter contains serialized PHP markers such as 'O:' or 'a:' followed by length-prefixed strings (trade-off: may false-positive on legitimate admin imports). Auditing the site for other plugins/themes known to contain POP gadget chains reduces the impact surface even if the sink remains.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2025-11993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy