Is Deserialization affected by CVE-2026-25316?

CartFlows versions up to 2.1.19 contain a critical deserialization vulnerability that could allow attackers to inject malicious objects and compromise e-commerce sites using this plugin.

CVE-2026-25316

Q: How to fix CVE-2026-25316?

Within 24 hours: Identify all WordPress instances running CartFlows and document version numbers; disable CartFlows plugin if version <= 2.1.19 until mitigation is confirmed. Within 7 days: Monitor vendor's security advisory for patch release; evaluate alternative e-commerce solutions or request vendor timeline for remediation. Within 30 days: Apply vendor patch immediately upon release; conduct security audit of transaction logs for unauthorized access; notify customers if any suspicious activity detected.

HIGH

2026-02-19 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 19, 2026 - 09:16 nvd

HIGH 7.2

Description

Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.

Analysis

CartFlows through version 2.1.19 contains an unsafe deserialization vulnerability that enables object injection attacks against WordPress installations using the plugin. An authenticated attacker with high privileges can exploit this flaw to achieve arbitrary code execution with full system access. …

Remediation

Within 24 hours: Identify all WordPress instances running CartFlows and document version numbers; disable CartFlows plugin if version <= 2.1.19 until mitigation is confirmed. Within 7 days: Monitor vendor's security advisory for patch release; evaluate alternative e-commerce solutions or request vendor timeline for remediation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2026-25316 vulnerability details – vuln.today

Back

CVE-2026-25316

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-25316

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code