PT-2026-44749 · WordPress · Woocommerce Infinite Scroll/Ajax Pagination

Cuokon

·

Published

2026-05-29

·

Updated

2026-06-29

·

CVE-2025-11993

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions WooCommerce Infinite Scroll and Ajax Pagination versions prior to 1.9
Description The plugin is subject to PHP Object Injection, a condition where untrusted data is deserialized, allowing an attacker to manipulate the application's logic. The issue occurs within the import settings function via the settings parameter during the import configuration process, as the system fails to perform necessary capability checks. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. While the plugin lacks a native POP chain (a sequence of gadgets used to achieve code execution), the presence of a POP chain in another installed plugin or theme could enable the deletion of arbitrary files, retrieval of sensitive data, or remote code execution.
Recommendations Update to a version later than 1.8. As a temporary mitigation, restrict access to the import configuration feature or disable the import settings function until the update is applied.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-11993

Affected Products

Woocommerce Infinite Scroll/Ajax Pagination