{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/boost-plugin-for-wordpress/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7637"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Boost plugin for WordPress"],"_cs_severities":["critical"],"_cs_tags":["php-object-injection","wordpress","vulnerability"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eCVE-2026-7637 identifies a PHP Object Injection vulnerability within the Boost plugin for WordPress, affecting versions up to and including 2.0.3. The vulnerability stems from the insecure deserialization of data contained within the STYXKEY-BOOST_USER_LOCATION cookie. An unauthenticated attacker can exploit this flaw by injecting a malicious PHP object into the cookie. While the Boost plugin itself does not contain a known property-oriented programming (POP) chain, the presence of such a chain within another installed plugin or theme on the same WordPress instance can escalate the impact significantly, potentially leading to arbitrary code execution. Defenders should be aware that successful exploitation depends on the presence of a POP chain from a separate source.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version (\u0026lt;= 2.0.3) of the Boost plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP object.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the crafted PHP object into the STYXKEY-BOOST_USER_LOCATION cookie.\u003c/li\u003e\n\u003cli\u003eThe WordPress site receives the HTTP request containing the malicious cookie.\u003c/li\u003e\n\u003cli\u003eThe Boost plugin deserializes the contents of the STYXKEY-BOOST_USER_LOCATION cookie without proper sanitization.\u003c/li\u003e\n\u003cli\u003eIf a POP chain exists within another plugin or theme, the deserialized object triggers the chain.\u003c/li\u003e\n\u003cli\u003eThe POP chain executes malicious code defined by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the WordPress server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7637 can have severe consequences. Although the vulnerable plugin itself doesn\u0026rsquo;t provide a POP chain, the existence of one through another plugin can lead to arbitrary code execution, potentially leading to complete system compromise. An attacker could delete arbitrary files, retrieve sensitive data (e.g., database credentials), or install malicious backdoors. The impact is contingent on the availability of a usable POP chain within the WordPress installation. Given the prevalence of WordPress and its plugin ecosystem, a successful exploit could affect numerous websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Boost plugin for WordPress to a version beyond 2.0.3 to patch CVE-2026-7637.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PHP Object Injection in STYXKEY-BOOST_USER_LOCATION Cookie\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview all installed WordPress plugins and themes for potential POP chains that could be triggered by this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the STYXKEY-BOOST_USER_LOCATION cookie and potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T04:20:00Z","date_published":"2026-05-20T04:20:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7637-boost-php-object-injection/","summary":"The Boost plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7637) due to deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie, potentially leading to arbitrary code execution if a suitable property-oriented programming (POP) chain is present.","title":"CVE-2026-7637 - Boost Plugin for WordPress PHP Object Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7637-boost-php-object-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Boost Plugin for WordPress","version":"https://jsonfeed.org/version/1.1"}