CVE-2026-1426

Name of the Vulnerable Software and Affected Versions Advanced AJAX Product Filters versions prior to 3.1.9.6

Description The Advanced AJAX Product Filters plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input within the shortcode check function, specifically within the Live Composer compatibility layer. This allows authenticated attackers with Author-level access or higher to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is also installed. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code. This vulnerability requires the Live Composer plugin to be installed and active.

Recommendations Update Advanced AJAX Product Filters to a version later than 3.1.9.6.