CVE-2026-7637 - Boost Plugin for WordPress PHP Object Injection

CVE-2026-7637 identifies a PHP Object Injection vulnerability within the Boost plugin for WordPress, affecting versions up to and including 2.0.3. The vulnerability stems from the insecure deserialization of data contained within the STYXKEY-BOOST_USER_LOCATION cookie. An unauthenticated attacker can exploit this flaw by injecting a malicious PHP object into the cookie. While the Boost plugin itself does not contain a known property-oriented programming (POP) chain, the presence of such a chain within another installed plugin or theme on the same WordPress instance can escalate the impact significantly, potentially leading to arbitrary code execution. Defenders should be aware that successful exploitation depends on the presence of a POP chain from a separate source.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version (<= 2.0.3) of the Boost plugin.
2. The attacker crafts a malicious PHP object.
3. The attacker injects the crafted PHP object into the STYXKEY-BOOST_USER_LOCATION cookie.
4. The WordPress site receives the HTTP request containing the malicious cookie.
5. The Boost plugin deserializes the contents of the STYXKEY-BOOST_USER_LOCATION cookie without proper sanitization.
6. If a POP chain exists within another plugin or theme, the deserialized object triggers the chain.
7. The POP chain executes malicious code defined by the attacker.
8. The attacker achieves arbitrary code execution on the WordPress server.

Impact

Successful exploitation of CVE-2026-7637 can have severe consequences. Although the vulnerable plugin itself doesn’t provide a POP chain, the existence of one through another plugin can lead to arbitrary code execution, potentially leading to complete system compromise. An attacker could delete arbitrary files, retrieve sensitive data (e.g., database credentials), or install malicious backdoors. The impact is contingent on the availability of a usable POP chain within the WordPress installation. Given the prevalence of WordPress and its plugin ecosystem, a successful exploit could affect numerous websites.

Recommendation

• Upgrade the Boost plugin for WordPress to a version beyond 2.0.3 to patch CVE-2026-7637.
• Deploy the Sigma rule Detect PHP Object Injection in STYXKEY-BOOST_USER_LOCATION Cookie to your SIEM to detect exploitation attempts.
• Review all installed WordPress plugins and themes for potential POP chains that could be triggered by this vulnerability.
• Monitor web server logs for suspicious activity related to the STYXKEY-BOOST_USER_LOCATION cookie and potential exploitation attempts.