{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27045", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-25T16:14:52.853Z", "dateUpdated": "2026-04-28T16:14:59.741Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected", "packageName": "sb-woocommerce-infinite-scroll", "product": "WooCommerce Infinite Scroll", "vendor": "sbthemes", "versions": [{"lessThanOrEqual": "1.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:30.462Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.<p>This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:59.741Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress WooCommerce Infinite Scroll plugin <= 1.6.2 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:15:21.999284Z", "id": "CVE-2026-27045", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:49:48.906Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27045", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:15:21.999284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:15:15.416Z"}}], "cna": {"title": "WordPress WooCommerce Infinite Scroll plugin <= 1.6.2 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "sbthemes", "product": "WooCommerce Infinite Scroll", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.2"}], "packageName": "sb-woocommerce-infinite-scroll", "collectionURL": "https://codecanyon.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:30.462Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.<p>This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:10.291Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27045", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:49:48.906Z", "dateReserved": "2026-02-17T13:23:18.876Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:52.853Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2."}, {"lang": "es", "value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll permite la inyecci\u00f3n de objetos. Este problema afecta a WooCommerce Infinite Scroll: desde n/a hasta &lt;= 1.6.2."}], "id": "CVE-2026-27045", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:53.720", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sb-woocommerce-infinite-scroll/vulnerability/wordpress-woocommerce-infinite-scroll-plugin-1-6-2-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WooCommerce Infinite Scroll", "source": "cna", "vendor": "sbthemes"}, "product": "woocommerce_infinite_scroll", "vendor": "sbthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T17:39:25.182791+00:00", "value": {"mitigation_remediation": ["Upgrade WooCommerce Infinite Scroll to version 1.6.3 or later."], "summary": {"action": "Apply Patch", "impact": "Object Injection"}, "threat_synthesis": {"affected_systems": "Affecting WordPress sites that run sbthemes' WooCommerce Infinite Scroll plugin version 1.6.2 or earlier. The issue exists from the earliest release through 1.6.2, so any site that has not upgraded beyond this version remains vulnerable.", "description_and_impact": "This vulnerability arises from deserialization of untrusted data within the WooCommerce Infinite Scroll plugin. An attacker can inject a crafted serialized object that will be unserialized by the plugin, enabling arbitrary code execution on the host system. The resulting impact includes full compromise of the WordPress installation, allowing attackers to read, modify, or delete data, and possibly launch further attacks against the underlying web server.", "risk_and_exploitability": "The CVSS base score of 8.8 classifies the flaw as high severity, indicating a remote impact. EPSS estimates less than 1% chance of exploitation in the wild, and the flaw is not listed in CISA's KEV catalog. Likely attack vector is remote through HTTP requests targeting the plugin\u2019s endpoints; however, the exact method is not detailed in the provided description, so this is inferred. The combination of high impact and low exploitation probability suggests that while the vulnerability is serious, the likelihood of finding an attacker with the specific knowledge to exploit it remains modest."}}}}, "created": "2026-03-25T21:44:11.581641+00:00", "updated": "2026-03-27T09:31:33.116724+00:00", "vendors": ["sbthemes", "sbthemes$PRODUCT$woocommerce_infinite_scroll", "wordpress", "wordpress$PRODUCT$wordpress"]}