CVE-2026-22354
Awaiting Analysis Awaiting Analysis - Queue
Deserialization Object Injection in Woocommerce Category Banner Management

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce allows Object Injection.This issue affects Woocommerce Category Banner Management: from n/a through <= 2.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22354
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dotstore woocommerce_category_banner_management to 2.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22354 is a PHP Object Injection vulnerability found in the WordPress WooCommerce Category Banner Management Plugin versions up to and including 2.5.1.

This vulnerability arises from deserialization of untrusted data, allowing attackers to inject malicious objects into the application.

Exploitation requires contributor or developer-level privileges and can lead to various attacks such as code injection, SQL injection, path traversal, and denial of service, especially if a suitable Property Oriented Programming (POP) chain is available.

It is classified under the OWASP Top 10 category A3: Injection and has a CVSS score of 8.8, indicating a high risk.

Impact Analysis

This vulnerability can have serious impacts including unauthorized code execution, data breaches through SQL injection, unauthorized file access via path traversal, and service disruption through denial of service attacks.

An attacker with sufficient privileges could exploit this flaw to compromise the security and integrity of your WooCommerce site.

Until an official patch is released, users are advised to apply mitigation rules provided by Patchstack to block attacks targeting this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability affects the WordPress WooCommerce Category Banner Management Plugin versions up to and including 2.5.1. Detection involves identifying if this specific plugin and version is installed on your system.

You can check the installed plugin version on your WordPress site by running commands to list plugins and their versions.

  • Use WP-CLI command: wp plugin list | grep banner-management-for-woocommerce
  • Check the plugin version in the WordPress admin dashboard under Plugins.

Additionally, monitoring for suspicious PHP Object Injection attempts in logs or using web application firewalls with rules targeting this vulnerability can help detect exploitation attempts.

Mitigation Strategies

Since no official patch is available for this vulnerability as of the latest update, immediate mitigation involves applying the Patchstack mitigation rule provided by the security researchers.

Users are strongly advised to apply this mitigation to block attacks targeting this vulnerability until an official patch is released.

Other recommended steps include limiting contributor or developer-level privileges to trusted users only, monitoring for suspicious activity, and considering disabling or removing the vulnerable plugin if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart