PT-2026-3578 · WordPress · Nexter Extension – Site Enhancements Toolkit

Craig Smith

·

Publicado

2026-01-20

·

Atualizado

2026-01-21

·

CVE-2026-0726

CVSS v3.1

8.1

Alta

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Nexter Extension – Site Enhancements Toolkit plugin for WordPress versions through 4.4.6
Description The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input in the nxt unserialize replace function. This allows unauthenticated attackers to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code.
Recommendations Versions prior to and including 4.4.6 should be updated.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2026-0726

Produtos afetados

Nexter Extension – Site Enhancements Toolkit