CVE-2026-0726
PHP Object Injection in Nexter Extension Plugin via Untrusted Deserialization
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | nexter_extension | to 4.4.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection issue in the Nexter Extension β Site Enhancements Toolkit plugin for WordPress, affecting all versions up to 4.4.6. It occurs due to unsafe deserialization of untrusted input in the 'nxt_unserialize_replace' function. An unauthenticated attacker can inject a PHP object if a POP (Property Oriented Programming) chain exists in another installed plugin or theme. Without such a POP chain, the vulnerability has no impact. If a POP chain is present, the attacker could potentially delete files, retrieve sensitive data, or execute arbitrary code. The vulnerability was fixed by enforcing authentication and authorization on AJAX actions, adding nonce verification to prevent CSRF, and implementing safe unserialization that restricts deserialization to arrays and primitive types only, preventing PHP Object Injection. [1]
How can this vulnerability impact me? :
If exploited in an environment where a POP chain is present via another plugin or theme, this vulnerability can allow an attacker to perform malicious actions such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code on the affected WordPress site. This can lead to site compromise, data loss, or unauthorized control over the website. However, if no POP chain is present, the vulnerability cannot be exploited.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the version of the Nexter Extension β Site Enhancements Toolkit plugin installed on your WordPress site. Versions up to and including 4.4.6 are vulnerable. To detect attempts to exploit the vulnerability, monitor for unauthorized AJAX requests to functions like 'nxt_replace_url' or 'nxt_replace_confirm_url' without proper authentication. There are no specific commands provided in the resources, but you can use WordPress CLI to check plugin versions: `wp plugin list | grep nexter-extension` and monitor web server logs for suspicious AJAX calls to the plugin endpoints. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Nexter Extension plugin to version 4.4.7 or later, which enforces authentication and authorization for AJAX actions and implements safe unserialization to prevent PHP Object Injection. Additionally, ensure that only trusted plugins and themes are installed to avoid the presence of POP chains that could be exploited. If updating is not immediately possible, restrict access to the vulnerable AJAX endpoints and monitor for suspicious activity. [1]