EUVD-2026-15760
GHSA-5mg7-jhw3-8jvg
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.
AnalysisAI
A PHP object injection vulnerability exists in the sbthemes WooCommerce Infinite Scroll plugin (versions up to and including 1.6.2) due to unsafe deserialization of untrusted data. This vulnerability allows attackers to inject malicious serialized objects, potentially leading to remote code execution or arbitrary object instantiation depending on available gadget chains within the WordPress environment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Authenticated user with access to WooCommerce Infinite Scroll plugin (sbthemes) versions <= 1.6.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | While CVSS and EPSS scores are not provided, the risk assessment is elevated based on multiple factors: the vulnerability class (CWE-502) is known to be easily exploitable with high impact in WordPress environments where gadget chains are abundant, the affected plugin is a WooCommerce extension with potentially broad installation across e-commerce sites, and Patchstack's reporting indicates this was sufficiently severe to warrant public disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious serialized PHP object targeting a known gadget chain within the WordPress environment (such as those in common plugins or the WordPress core) and injects it through the vulnerable deserialization point in the WooCommerce Infinite Scroll plugin—likely via a GET/POST parameter, AJAX endpoint, or stored data retrieval. Upon deserialization, the malicious object's magic methods are automatically invoked, triggering a chain of method calls that ultimately executes arbitrary PHP code with the privileges of the web server. … |
| Remediation | Immediately upgrade the sbthemes WooCommerce Infinite Scroll plugin to a version newer than 1.6.2; consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve) for the specific patched version release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today