CVE-2026-2020
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Analysis
PHP object injection in the JS Archive List WordPress plugin (versions up to 6.1.7) allows authenticated contributors and above to deserialize untrusted data through the shortcode 'included' parameter. While no direct exploitation path exists in the plugin itself, attackers could leverage gadget chains from other installed plugins or themes to achieve arbitrary file deletion, information disclosure, or remote code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit your WordPress installations to identify all sites using JS Archive List plugin and document current versions. Within 7 days: Disable the vulnerable shortcode functionality via configuration or remove the plugin if not critical to operations; implement role-based restrictions to limit who can create/edit content with shortcodes. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today