CVE-2026-7637

Name of the Vulnerable Software and Affected Versions Boost plugin for WordPress versions prior to 2.0.4

Description The plugin is subject to PHP Object Injection due to the deserialization of untrusted input. Unauthenticated remote attackers can inject a PHP Object by passing a manipulated string through the STYXKEY-BOOST USER LOCATION cookie. This issue requires a Property-Oriented Programming (POP) chain—a sequence of gadgets (existing code snippets) used to achieve a specific goal—to be present in another installed plugin or theme to have an impact. If such a chain exists, it may allow the attacker to execute code, retrieve sensitive data, or delete arbitrary files.

Recommendations Update to version 2.0.4. As a temporary workaround, restrict or sanitize the STYXKEY-BOOST USER LOCATION cookie to minimize the risk of exploitation.