WooCommerce Infinite Scroll Plugin Vulnerable to PHP Object Injection (CVE-2025-11993)

The WooCommerce Infinite Scroll and Ajax Pagination plugin, versions 1.8 and earlier, contains a PHP Object Injection vulnerability (CVE-2025-11993). The vulnerability exists within the ‘import_settings’ function, which fails to properly validate data supplied via the ‘settings’ parameter during the import configuration process. This allows authenticated attackers with Subscriber-level access or higher to inject PHP objects by exploiting the deserialization of untrusted data. While the vulnerable plugin itself lacks a Property-Oriented Programming (POP) chain, the presence of such a chain in another plugin or theme installed on the target WordPress system could allow for arbitrary file deletion, sensitive data retrieval, or even code execution. This vulnerability poses a significant risk to WordPress sites utilizing the affected plugin and underscores the importance of careful input validation and regular security audits.

Attack Chain

1. An attacker authenticates to a WordPress site with at least Subscriber-level privileges.
2. The attacker crafts a malicious payload containing a serialized PHP object designed to exploit a POP chain present in another installed plugin or theme.
3. The attacker accesses the import configuration functionality of the “WooCommerce Infinite Scroll and Ajax Pagination” plugin.
4. The attacker injects the malicious serialized PHP object into the ‘settings’ parameter of the ‘import_settings’ function.
5. The application deserializes the malicious PHP object without proper sanitization or validation.
6. If a suitable POP chain exists within the WordPress installation, the deserialized object triggers a sequence of method calls.
7. The POP chain is exploited to perform unauthorized actions such as deleting arbitrary files, retrieving sensitive information from the database (wp-config.php), or executing arbitrary PHP code.
8. The attacker achieves remote code execution on the target server, potentially compromising the entire WordPress site.

Impact

Successful exploitation of this vulnerability (CVE-2025-11993) could allow an attacker to gain complete control of a vulnerable WordPress website. Depending on the available POP chains, attackers could delete critical files, steal sensitive information, or inject malicious code to further compromise the server and its hosted data. The number of affected sites is potentially large, given the widespread usage of WordPress and the WooCommerce plugin.

Recommendation

• Upgrade the “WooCommerce Infinite Scroll and Ajax Pagination” plugin to a patched version beyond 1.8 to remediate CVE-2025-11993.
• Deploy the Sigma rule “Detect WooCommerce Infinite Scroll PHP Object Injection Attempt” to identify exploitation attempts targeting the ‘import_settings’ function.
• Regularly audit installed WordPress plugins and themes for potential POP chains to reduce the risk of successful exploitation.
• Implement strict input validation and sanitization measures to prevent deserialization of untrusted data.