{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1235", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-01-20T16:01:12.343Z", "datePublished": "2026-02-11T06:00:08.398Z", "dateUpdated": "2026-04-02T12:39:57.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.069Z"}, "title": "WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection", "problemTypes": [{"descriptions": [{"description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "WP eCommerce", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThanOrEqual": "3.15.1"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}], "references": [{"url": "https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "yi\u011fit ibrahim sa\u011flam", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-502", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:53:38.649157Z", "id": "CVE-2026-1235", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:54:37.663Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-1235", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:53:38.649157Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:52:49.513Z"}}], "cna": {"title": "WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "WP eCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.15.1"}], "defaultStatus": "unknown"}], "references": [{"url": "https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-02T12:39:57.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1235", "state": "PUBLISHED", "dateUpdated": "2026-04-02T12:39:57.069Z", "dateReserved": "2026-01-20T16:01:12.343Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-02-11T06:00:08.398Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog."}, {"lang": "es", "value": "El plugin de WordPress WP eCommerce hasta la versi\u00f3n 3.15.1 deserializa la entrada del usuario a trav\u00e9s de acciones AJAX, lo que podr\u00eda permitir a usuarios no autenticados realizar una inyecci\u00f3n de objetos PHP cuando un gadget adecuado est\u00e1 presente en el blog."}], "id": "CVE-2026-1235", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-11T06:15:51.220", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.15.1]"}}], "product": "wp_ecommerce", "vendor": "wp_ecommerce"}], "analysis": {"en": {"generated_at": "2026-04-15T21:14:32.534120+00:00", "value": {"mitigation_remediation": ["Upgrade the WP eCommerce plugin to the latest available version that removes the unserialize logic (any release newer than 3.15.1).", "If an upgrade is not immediately possible, block or disable the AJAX endpoint that triggers the unserialization\u2014this can be done via a web application firewall rule or by adding a restriction in the site\u2019s .htaccess file.", "As a temporary workaround, audit third\u2011party plugins or themes for deserialization gadgets and remove or replace any that provide them; ensure that any remaining code performing unserialize includes strict type checks and input validation."], "summary": {"action": "Apply Patch Immediately", "impact": "Unauthenticated PHP Object Injection that can lead to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP eCommerce plugin version 3.15.1 or earlier are affected; the vulnerability resides in the plugin\u2019s core code and requires the presence of a PHP gadget to fully exploit.", "description_and_impact": "The WP eCommerce WordPress plugin through version 3.15.1 unserializes untrusted user input via AJAX actions, enabling an attacker who does not need to authenticate to trigger PHP Object Injection whenever a compatible gadget is present on the site\u2019s codebase; this flaw falls under CWE\u2011502 and can potentially allow the attacker to execute arbitrary logic on the server.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is unauthenticated and easy to trigger, but practical exploitation depends on a suitable gadget, which may limit real\u2011world risk. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-02-11T21:46:10.289913+00:00", "updated": "2026-04-15T21:15:13.590553+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wp_ecommerce", "wp_ecommerce$PRODUCT$wp_ecommerce"]}