PT-2026-23813 · WordPress · Wordpress+1
Athiwat Tiprasaharn
+2
·
Published
2026-03-07
·
Updated
2026-03-12
·
CVE-2026-2020
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WordPress JS Archive List plugin versions up to and including 6.1.7
Description
The JS Archive List plugin for WordPress is susceptible to PHP Object Injection through the 'included' shortcode attribute. This occurs because of the deserialization of untrusted input provided through the 'included' parameter of the plugin’s shortcode. Authenticated attackers with Contributor-level access or higher can inject a PHP Object. Currently, no known practical exploitation chain (POP chain) exists within the vulnerable software itself. However, if a POP chain is present through an additional plugin or theme installed on the target system, an attacker could potentially delete arbitrary files, retrieve sensitive data, or execute code.
Recommendations
Update the JS Archive List plugin to a version newer than 6.1.7.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Js Archive List
Wordpress