Skip to main content

CTX Feed EUVD-2026-36924

| CVE-2026-39434 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-7hfg-g6xf-6f7q
PHP Deserialization Ctx Feed
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable wp-admin endpoint (AV:N/AC:L), Shop Manager role required (PR:H), no victim interaction (UI:N), and PHP object injection typically yields full RCE giving high C/I/A.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:35 vuln.today

DescriptionCVE.org

Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.

AnalysisAI

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Shop Manager credentials
Delivery
Authenticate to wp-admin
Exploit
Submit serialized PHP payload to CTX Feed
Execution
Trigger unserialize() and POP gadget chain
Persist
Execute arbitrary PHP as web user
Impact
Drop webshell and exfiltrate WooCommerce data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least the WooCommerce Shop Manager role (PR:H in the CVSS vector) on a WordPress site running CTX Feed ≤6.6.26, and the attacker must be able to reach the plugin's vulnerable admin handler over the network (AV:N, no user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2) reflects a high-privilege but network-reachable flaw with full CIA impact - realistic for a Shop Manager-scoped object injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained Shop Manager credentials - via phishing of a store staff account, credential reuse, or a chained privilege bug - logs into wp-admin and submits a crafted serialized PHP payload to a vulnerable CTX Feed parameter. The injected gadget chain leverages classes loaded by WordPress, WooCommerce, or another active plugin to write a PHP webshell or execute arbitrary code as the web server user, resulting in full site takeover and pivot into the WooCommerce order/customer database.
Remediation Patch status: Patch available per vendor advisory - upgrade CTX Feed to a version newer than 6.6.26 as identified in the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-26-php-object-injection-vulnerability), and confirm the fixed release from the WordPress.org plugin page before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running WebAppick Product Feed version 6.6.26 or earlier; audit all Shop Manager account assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

EUVD-2026-36924 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy