CVE-2026-46725

Name of the Vulnerable Software and Affected Versions Content Element Selector (ceselector) (affected versions not specified)

Description The extension passes an attacker-controlled cookie directly to the unserialize() function without safe processing. A remote, unauthenticated attacker can provide a crafted serialized payload to trigger PHP Object Injection, which allows for Remote Code Execution on the server. This issue occurs when the content element is configured with "Persistent Mode: Static" in the plugin settings. PHP Object Injection is a technique where untrusted input is used to manipulate the way an application reconstructs objects from a stored format, potentially allowing the execution of arbitrary code.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.