CVE-2026-2020

Name of the Vulnerable Software and Affected Versions WordPress JS Archive List plugin versions up to and including 6.1.7

Description The JS Archive List plugin for WordPress is susceptible to PHP Object Injection through the 'included' shortcode attribute. This occurs because of the deserialization of untrusted input provided through the 'included' parameter of the plugin’s shortcode. Authenticated attackers with Contributor-level access or higher can inject a PHP Object. Currently, no known practical exploitation chain (POP chain) exists within the vulnerable software itself. However, if a POP chain is present through an additional plugin or theme installed on the target system, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations Update the JS Archive List plugin to a version newer than 6.1.7.