CVE-2026-1235

Name of the Vulnerable Software and Affected Versions WP eCommerce versions through 3.15.1

Description The WP eCommerce WordPress plugin is affected by an issue where it unserializes user input through AJAX actions. This could allow unauthenticated users to perform PHP Object Injection if a suitable gadget is present. The ajax actions are the entry point for this issue. The vulnerable component processes user-supplied data without proper sanitization, leading to the potential for arbitrary code execution.

Recommendations Update WP eCommerce to a version beyond 3.15.1. Disable the plugin until a patch is available.