CVE-2026-0677
Deferred Deferred - Pending Action
Deserialization Object Injection in TotalContest Lite

Publication date: 2026-03-20

Last updated on: 2026-06-10

Assigner: Patchstack

Description
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0677
EUVD
EUVD-2026-13657
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
totalsuite totalcontest_lite to 2.9.1 (inc)
patchstack totalcontest_lite From 2.9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0677 is a vulnerability in the WordPress TotalContest Lite Plugin (version 2.9.1 and earlier) that allows PHP Object Injection. This means an attacker can inject malicious PHP objects into the application, potentially leading to harmful actions.

  • The vulnerability arises from deserialization of untrusted data.
  • It can enable attackers to perform code injection, SQL injection, path traversal, and denial of service attacks if a suitable Property Oriented Programming (POP) chain is available.
  • It is classified under the OWASP Top 10 category A3: Injection.
Impact Analysis

This vulnerability can have several serious impacts if exploited:

  • Attackers may execute arbitrary code on the affected system.
  • It can lead to SQL injection, potentially compromising the database.
  • Path traversal attacks could allow attackers to access unauthorized files.
  • Denial of service attacks may disrupt the availability of the service.

The CVSS score of 7.2 indicates a moderate severity, but exploitation is considered unlikely and the impact is rated low priority by Patchstack.

Compliance Impact

I don't know

Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation involves updating the TotalContest Lite plugin to a version later than 2.9.1 if available.

If updating is not possible, users are advised to seek assistance from their hosting provider or web developer.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart