PT-2026-3578 · WordPress · Nexter Extension – Site Enhancements Toolkit
Craig Smith
·
Published
2026-01-20
·
Updated
2026-01-21
·
CVE-2026-0726
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Nexter Extension – Site Enhancements Toolkit plugin for WordPress versions through 4.4.6
Description
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is susceptible to PHP Object Injection due to deserialization of untrusted input in the
nxt unserialize replace function. This allows unauthenticated attackers to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed. If a POP chain is present, an attacker may be able to perform actions such as deleting arbitrary files, retrieving sensitive data, or executing code.Recommendations
Versions prior to and including 4.4.6 should be updated.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nexter Extension – Site Enhancements Toolkit