{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25316", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:20:47.811Z", "datePublished": "2026-02-19T08:26:54.560Z", "dateUpdated": "2026-04-28T16:14:54.727Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cartflows", "product": "CartFlows", "vendor": "Brainstorm Force", "versions": [{"changes": [{"at": "2.2.0", "status": "unaffected"}], "lessThanOrEqual": "2.1.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:03.336Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.<p>This issue affects CartFlows: from n/a through <= 2.1.19.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:54.727Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpress-cartflows-plugin-2-1-19-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress CartFlows plugin <= 2.1.19 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:52:58.241433Z", "id": "CVE-2026-25316", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:55:44.354Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:52:58.241433Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:52:52.647Z"}}], "cna": {"title": "WordPress CartFlows plugin <= 2.1.19 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Brainstorm Force", "product": "CartFlows", "versions": [{"status": "affected", "changes": [{"at": "2.2.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.1.19"}], "packageName": "cartflows", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:39.153Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpress-cartflows-plugin-2-1-19-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.<p>This issue affects CartFlows: from n/a through <= 2.1.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.051Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25316", "state": "PUBLISHED", "dateUpdated": "2026-04-28T12:55:44.354Z", "dateReserved": "2026-02-02T12:20:47.811Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:54.560Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Brainstorm Force CartFlows cartflows permite la inyecci\u00f3n de objetos. Este problema afecta a CartFlows: desde n/a hasta &lt;= 2.1.19."}], "id": "CVE-2026-25316", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:15.920", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpress-cartflows-plugin-2-1-19-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.19]"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "CartFlows", "source": "cna", "vendor": "Brainstorm Force"}, "product": "cartflows", "vendor": "brainstormforce"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T06:37:00.487173+00:00", "value": {"mitigation_remediation": ["Upgrade CartFlows to the latest released version or apply the official fix published by Brainstorm Force, which removes the vulnerable unserialization code.", "If an immediate update is not feasible, disable the CartFlows plugin and delete any stored serialized data generated by it to prevent exploitation until a patch is applied.", "Review the code or configuration to ensure that unserialize() is never called with data from untrusted input; consider replacing it with safe alternatives such as json_decode() and implement strict input validation."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "CartFlows, a WordPress plugin authored by Brainstorm Force, is affected in all versions up to and including 2.1.19. Every installation of the plugin between its first release and 2.1.19 is vulnerable when the plugin is active on a WordPress site.", "description_and_impact": "Deserialization of untrusted data in the CartFlows plugin enables PHP Object Injection, a weakness defined as CWE-502. Attackers can craft serialized payloads that the plugin processes without adequate validation, potentially allowing the execution of arbitrary PHP code. This can compromise the entire WordPress instance, exposing sensitive data, enabling further lateral movement, or forming a foothold for persistent malware.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 7.2, indicating high severity. The EPSS score of less than 1% suggests a low current exploitation probability, yet the privileged impact if exploited remains significant. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits are documented at this time. The likely attack vector involves a remote attacker submitting serialized data to a plugin endpoint that triggers the vulnerable unserialize routine; this inference stems from the nature of PHP Object Injection and the description but is not explicitly confirmed in the advisory."}}}}, "created": "2026-02-20T10:09:06.339708+00:00", "updated": "2026-04-16T06:45:16.315027+00:00", "vendors": ["brainstormforce", "brainstormforce$PRODUCT$cartflows", "wordpress", "wordpress$PRODUCT$wordpress"]}