Executive Summary

CVE-2026-1235 is a vulnerability in the WP eCommerce WordPress plugin up to version 3.15.1 that allows unauthenticated users to perform PHP Object Injection. This happens because the plugin unserializes user input received via AJAX actions without proper validation. An attacker can send specially crafted serialized PHP objects in a POST request, which the plugin processes and stores, enabling the injection of malicious objects if a suitable gadget chain exists on the WordPress blog.

The attack involves two HTTP POST requests to the endpoint /wp-admin/admin-ajax.php: first, an injection request that sends a base64-encoded serialized PHP object payload, and second, a verification request to confirm the payload was successfully injected and stored.

This vulnerability is classified as an Object Injection flaw (CWE-502) and is part of the OWASP Top 10 category A8: Insecure Deserialization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow unauthenticated attackers to inject malicious PHP objects into the WordPress site, potentially leading to remote code execution, data manipulation, or other unauthorized actions depending on the gadget chains available on the site.

Because the attacker does not need to be authenticated, the risk is higher as it lowers the barrier to exploitation.

Successful exploitation could compromise the integrity and security of the website, leading to data breaches, site defacement, or further attacks on the hosting environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specific HTTP POST requests to the endpoint `/wp-admin/admin-ajax.php` that attempt to exploit the unserialization flaw.'}, {'type': 'list_item', 'content': 'Look for POST requests with the action parameter `wpsc_update_customer_meta` where `meta_key` is set to `_wpsc_cart.cart_items` and `meta_value` contains a base64-encoded serialized PHP object payload.'}, {'type': 'list_item', 'content': 'Check for subsequent POST requests with the action `wpsc_get_customer_meta` and the meta key `_wpsc_cart.cart_items` to verify if the payload was stored.'}, {'type': 'paragraph', 'content': 'Example command using curl to test for the injection attempt:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=wpsc_update_customer_meta&meta_key=_wpsc_cart.cart_items&meta_value=<base64_encoded_serialized_payload>"'}, {'type': 'list_item', 'content': 'Followed by a verification request:'}, {'type': 'list_item', 'content': 'curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=wpsc_get_customer_meta&meta_key=_wpsc_cart.cart_items"'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Currently, there is no known fix available for this vulnerability in the WP eCommerce plugin up to version 3.15.1.

Immediate mitigation steps include:

• Restrict access to the `/wp-admin/admin-ajax.php` endpoint to trusted users or IP addresses to prevent unauthenticated exploitation.
• Implement Web Application Firewall (WAF) rules to detect and block suspicious POST requests containing the vulnerable parameters.
• Monitor logs for exploitation attempts as described in detection steps.
• Consider disabling or removing the WP eCommerce plugin temporarily if possible until a patch is released.

Useful 0 Not Useful 0