Skip to main content

Advanced Product Fields CVE-2026-39499

| EUVD-2026-36946 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-gr67-hjv8-58w8
PHP Deserialization WordPress Advanced Product Fields Product Addons For Woocommerce
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Reachable over the network via the WP admin interface with no user interaction, but requires the high-privilege Shop Manager role; successful deserialization yields full code execution and thus high C/I/A.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:25 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.2

DescriptionCVE.org

Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.

AnalysisAI

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Shop Manager credentials
Delivery
Authenticate to WooCommerce admin
Exploit
Submit serialized PHP object to vulnerable plugin endpoint
Execution
Trigger unserialize() and POP gadget chain
Persist
Execute arbitrary PHP / write webshell
Impact
Escalate to full site administrator
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session holding the WooCommerce Shop Manager capability (CVSS PR:H), the Advanced Product Fields (Product Addons) for WooCommerce plugin installed and active at version ≤1.6.19, and the ability to reach the plugin's admin or AJAX endpoint that passes input into unserialize(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - network reachable, low complexity, but requires high privileges (Shop Manager) and yields full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Shop Manager credentials - through phishing, credential stuffing against a store staff account, or a compromised contractor - logs into the WooCommerce admin and submits a crafted serialized PHP object to a vulnerable Advanced Product Fields endpoint. Upon deserialization, a gadget chain from WordPress core or another installed plugin executes, allowing the attacker to write a PHP webshell or escalate to full administrator, taking over the store. …
Remediation Upgrade the Advanced Product Fields (Product Addons) for WooCommerce plugin to a version newer than 1.6.19 as published by the vendor; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/advanced-product-fields-for-woocommerce/vulnerability/wordpress-advanced-product-fields-product-addons-for-woocommerce-plugin-1-6-19-php-object-injection-vulnerability for the fixed release once available, as no fixed version was published in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WooCommerce instances running Advanced Product Fields for WooCommerce versions 1.6.19 or below and audit current Shop Manager role assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39499 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy