EUVD-2026-15487Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.
AnalysisAI
The WebToffee Product Feed for WooCommerce plugin contains a PHP object injection vulnerability stemming from insecure deserialization of untrusted data (CWE-502), affecting versions up to and including 2.3.3. An attacker can exploit this vulnerability to inject arbitrary objects into the application, potentially leading to remote code execution or data manipulation depending on available gadget chains in the WordPress/PHP environment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires high-privilege administrator access to WebToffee Product Feed for WooCommerce plugin (versions <= 2.3.3). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | While CVSS and EPSS scores are not yet published for CVE-2026-22480, the underlying vulnerability class (CWE-502) is consistently rated as critical in security literature. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a WordPress site running the vulnerable WebToffee Product Feed plugin could craft a malicious serialized PHP object and submit it via a product feed import, API endpoint, or form parameter that the plugin processes without proper validation. Upon deserialization, the injected object could trigger a chain of magic method calls that ultimately execute arbitrary code or access sensitive data. … |
| Remediation | Upgrade the WebToffee Product Feed for WooCommerce plugin to a version later than 2.3.3 as soon as a patched release is available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today