Skip to main content

WPJAM Basic CVE-2026-57371

| EUVDEUVD-2026-43447 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-13 Patchstack
8.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable plugin endpoint (AV:N/AC:L) requiring a low-privilege authenticated account (PR:L); PHP object injection can reach full CIA compromise via gadget chains (C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:07 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.8

DescriptionCVE.org

Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.

AnalysisAI

PHP Object Injection in the WPJAM Basic WordPress plugin (denishua) affects all versions up to and including 7.0, allowing an authenticated attacker to inject crafted serialized objects that are deserialized by the plugin. Reported by Patchstack and rated CVSS 8.8, it can lead to high-impact compromise (confidentiality, integrity, and availability) of the WordPress site, though exploitation requires at least low-level authenticated access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv WordPress account
Delivery
Craft malicious serialized PHP object
Exploit
Submit payload to vulnerable plugin input
Execution
Plugin deserializes untrusted data
Persist
POP gadget chain executes
Impact
Achieve code execution or data compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the WPJAM Basic plugin (versions n/a through 7.0) to be installed and active, and - per the CVSS PR:L metric - the attacker must hold at least a low-privileged authenticated account on the target WordPress site (e.g., a subscriber or contributor obtained via open self-registration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) indicates network-reachable, low-complexity exploitation requiring only low privileges and no user interaction, with full CIA impact - a genuinely serious combination for an internet-facing WordPress plugin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account on a WordPress site running WPJAM Basic <= 7.0, then submits a crafted serialized PHP object to a plugin input that reaches unserialize(). When the plugin deserializes the payload, a POP gadget chain in WordPress or loaded plugins fires, letting the attacker read/write files, tamper with the database, or execute code. …
Remediation No vendor-released patch version was identified in the available data, so upgrade to a fixed release once denishua publishes one (monitor the plugin changelog and the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpjam-basic/vulnerability/wordpress-wpjam-basic-plugin-7-0-php-object-injection-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress installations to identify WPJAM Basic plugin usage and determine affected versions (7.0 and below). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy