Php Object Injection

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection (CVE-2025-11993) due to deserialization of untrusted data in the 'import_settings' function, potentially leading to arbitrary code execution if a suitable POP chain is present.

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

Mirasvit Full Page Cache Warmer for Magento 2 before version 1.11.12 contains a PHP object injection vulnerability (CVE-2026-45247) that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.

The Boost plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7637) due to deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie, potentially leading to arbitrary code execution if a suitable property-oriented programming (POP) chain is present.

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7635), allowing unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header, leading to a persistent Denial of Service condition.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.