PT-2026-44749 · WordPress · Woocommerce Infinite Scroll/Ajax Pagination
Cuokon
·
Published
2026-05-29
·
Updated
2026-06-29
·
CVE-2025-11993
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WooCommerce Infinite Scroll and Ajax Pagination versions prior to 1.9
Description
The plugin is subject to PHP Object Injection, a condition where untrusted data is deserialized, allowing an attacker to manipulate the application's logic. The issue occurs within the
import settings function via the settings parameter during the import configuration process, as the system fails to perform necessary capability checks. Authenticated attackers with Subscriber-level access or higher can inject a PHP Object. While the plugin lacks a native POP chain (a sequence of gadgets used to achieve code execution), the presence of a POP chain in another installed plugin or theme could enable the deletion of arbitrary files, retrieval of sensitive data, or remote code execution.Recommendations
Update to a version later than 1.8.
As a temporary mitigation, restrict access to the import configuration feature or disable the
import settings function until the update is applied.Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woocommerce Infinite Scroll/Ajax Pagination