{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22471", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:06.688Z", "datePublished": "2026-03-05T05:53:46.338Z", "dateUpdated": "2026-04-28T17:17:43.919Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "secudeal-payments-for-ecommerce", "product": "Secudeal Payments for Ecommerce", "vendor": "maximsecudeal", "versions": [{"lessThanOrEqual": "1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:19:19.918Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.<p>This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.625Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/secudeal-payments-for-ecommerce/vulnerability/wordpress-secudeal-payments-for-ecommerce-plugin-1-1-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Secudeal Payments for Ecommerce plugin <= 1.1 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:38:00.433328Z", "id": "CVE-2026-22471", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:17:43.919Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22471", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T13:38:00.433328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:37:18.533Z"}}], "cna": {"title": "WordPress Secudeal Payments for Ecommerce plugin <= 1.1 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Mrreee | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "maximsecudeal", "product": "Secudeal Payments for Ecommerce", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1"}], "packageName": "secudeal-payments-for-ecommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:19:19.918Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/secudeal-payments-for-ecommerce/vulnerability/wordpress-secudeal-payments-for-ecommerce-plugin-1-1-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.<p>This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.625Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22471", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:17:43.919Z", "dateReserved": "2026-01-07T13:44:06.688Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:46.338Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en maximsecudeal Secudeal Payments para Ecommerce secudeal-payments-for-ecommerce permite la inyecci\u00f3n de objetos. Este problema afecta a Secudeal Payments para Ecommerce: desde n/a hasta &lt;= 1.1."}], "id": "CVE-2026-22471", "lastModified": "2026-04-28T19:36:39.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-05T06:16:20.777", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/secudeal-payments-for-ecommerce/vulnerability/wordpress-secudeal-payments-for-ecommerce-plugin-1-1-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Secudeal Payments for Ecommerce", "source": "cna", "vendor": "maximsecudeal"}, "product": "secudeal_payments_for_ecommerce", "vendor": "maximsecudeal"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:32:42.510837+00:00", "value": {"mitigation_remediation": ["Upgrade the Secudeal Payments for Ecommerce plugin to the latest available version (\u22651.2 or newer).", "If an upgrade is not immediately possible, disable or uninstall the plugin entirely to eliminate the vulnerable code path.", "Configure the plugin or WordPress environment to whitelist acceptable classes for deserialization and block magic methods such as __wakeup and __destruct, or apply input filtering that rejects serialized payloads before processing."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The plugin is distributed by maximsecudeal under the name Secudeal Payments for Ecommerce. All installations running version 1.1 or earlier are affected. This includes WordPress sites that have the plugin installed with any version equal to or less than 1.1.", "description_and_impact": "The vulnerability is a deserialization of untrusted data flaw that permits PHP object injection. An attacker can supply crafted serialized payloads that are parsed by the Secudeal Payments for Ecommerce plugin, allowing arbitrary PHP objects to be instantiated. This can lead to remote code execution if the injected objects trigger destructive or malicious behavior. The impact is therefore the potential loss of control over the affected server, modification of site files, and exposure of sensitive data.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity class. The EPSS of less than 1% shows the likely immediate likelihood of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker would need to inject serialized input through a plugin\u2011provided interface or the WordPress admin area. While no proof\u2011of\u2011concept or public exploit is available, the mechanism gives an attacker the ability to execute arbitrary code if the platform permits."}}}}, "created": "2026-03-06T15:14:00.847133+00:00", "updated": "2026-04-28T17:45:16.115257+00:00", "vendors": ["maximsecudeal", "maximsecudeal$PRODUCT$secudeal_payments_for_ecommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}