{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22333", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:02.765Z", "datePublished": "2026-02-19T08:26:47.849Z", "dateUpdated": "2026-04-28T16:46:37.968Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "yith-woocommerce-compare", "product": "YITH WooCommerce Compare", "vendor": "YITHEMES", "versions": [{"changes": [{"at": "3.7.0", "status": "unaffected"}], "lessThanOrEqual": "3.6.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:55.491Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.<p>This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.792Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-compare/vulnerability/wordpress-yith-woocommerce-compare-plugin-3-6-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "title": "WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:52:24.026457Z", "id": "CVE-2026-22333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:46:37.968Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22333", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:02.765Z", "datePublished": "2026-02-19T08:26:47.849Z", "dateUpdated": "2026-04-28T16:46:37.968Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "yith-woocommerce-compare", "product": "YITH WooCommerce Compare", "vendor": "YITHEMES", "versions": [{"changes": [{"at": "3.7.0", "status": "unaffected"}], "lessThanOrEqual": "3.6.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:55.491Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.<p>This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:40.792Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-compare/vulnerability/wordpress-yith-woocommerce-compare-plugin-3-6-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "title": "WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:52:24.026457Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:52:20.873Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0."}, {"lang": "es", "value": "Deserializaci\u00f3n de Datos No Confiables vulnerabilidad en YITHEMES YITH WooCommerce Compare yith-woocommerce-compare permite Inyecci\u00f3n de Objetos. Este problema afecta a YITH WooCommerce Compare: desde n/a hasta &lt;= 3.6.0."}], "id": "CVE-2026-22333", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:11.600", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-compare/vulnerability/wordpress-yith-woocommerce-compare-plugin-3-6-0-deserialization-of-untrusted-data-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "YITH WooCommerce Compare", "source": "cna", "vendor": "YITHEMES"}, "product": "yith_woocommerce_compare", "vendor": "yithemes"}], "analysis": {"en": {"generated_at": "2026-04-16T06:44:10.820024+00:00", "value": {"mitigation_remediation": ["Upgrade the YITH WooCommerce Compare plugin to the latest version that removes the deserialization logic (at least version 3.6.1).", "If an update cannot be applied immediately, temporarily disable the plugin or place the WordPress site into maintenance mode to prevent exploitation of the deserialization flaw.", "Modify the plugin\u2019s deserialization handling to validate object types against a strict whitelist before execution, ensuring only trusted classes are instantiated from input data."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via object injection"}, "threat_synthesis": {"affected_systems": "Affects the YITHEMES YITH WooCommerce Compare WordPress plugin version 3.6.0 and all earlier releases. Users who have installed this plugin on their WordPress sites are at risk until they upgrade beyond the 3.6.0 threshold.", "description_and_impact": "The vulnerability allows deserialization of untrusted data within the YITHEMES YITH WooCommerce Compare plugin, resulting in object injection that can lead to arbitrary code execution. An attacker could potentially compromise the website\u2019s confidentiality, integrity, and availability by triggering the deserialization process and causing malicious objects to be instantiated and executed on the server.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1% reflects a low probability of real\u2011world exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector would involve an attacker sending crafted serialized data to the plugin\u2014potentially through a web request or an administrative interface\u2014triggering the vulnerable deserialization routine. Based on the description, it is inferred that exploitation may require authenticated access with administrative privileges, but the flaw could also be leveraged by unauthenticated users if the plugin accepts external input from such users."}}}}, "created": "2026-02-20T10:11:24.933798+00:00", "updated": "2026-04-16T06:45:16.320978+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yithemes", "yithemes$PRODUCT$yith_woocommerce_compare"]}