Executive Summary

CVE-2026-39467 is a PHP Object Injection vulnerability found in the WordPress plugin "Responsive Slider by MetaSlider" versions up to and including 3.106.0.

This vulnerability allows attackers to inject malicious PHP objects by exploiting deserialization of untrusted data, which can lead to severe consequences such as code injection, SQL injection, path traversal, denial of service, and other attacks if a suitable Property Oriented Programming (POP) chain is available.

Exploitation requires at least editor or developer privileges on the affected site.

The issue was reported in early 2026 and patched in version 3.107.0 of the plugin.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can allow attackers to perform various malicious actions including:

• Executing arbitrary code on the server.
• Performing SQL injection attacks to manipulate or steal data.
• Conducting path traversal attacks to access unauthorized files.
• Causing denial of service conditions.

These impacts can compromise the confidentiality, integrity, and availability of your website and its data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the WordPress plugin "Responsive Slider by MetaSlider" versions up to and including 3.106.0. Detection involves identifying if this vulnerable plugin version is installed on your system.

You can check the installed plugin version by accessing your WordPress installation and running commands to list plugin versions or inspecting the plugin files directly.

• Use WP-CLI to check the plugin version: wp plugin list --status=active
• Look specifically for the "ml-slider" or "Responsive Slider by MetaSlider" plugin and verify its version.
• Alternatively, inspect the plugin's main PHP file header for the version number.

Network detection of exploitation attempts may involve monitoring for unusual PHP object injection payloads targeting this plugin, but specific detection commands or signatures are not provided.

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate step to mitigate this vulnerability is to update the Responsive Slider by MetaSlider plugin to version 3.107.0 or later, where the vulnerability is patched.

Until you can update, applying mitigation rules provided by Patchstack can help block attacks exploiting this vulnerability.

• Update the plugin to version 3.107.0 or newer.
• Apply Patchstack mitigation rules to block exploitation attempts.
• Consider enabling automatic updates for the plugin to ensure timely patching.

These steps reduce the risk of PHP Object Injection attacks that could lead to code injection, SQL injection, path traversal, denial of service, and other severe impacts.

Useful 0 Not Useful 0

Compliance Impact

The CVE-2026-39467 vulnerability allows PHP Object Injection in the Responsive Slider by MetaSlider plugin, which can lead to severe consequences such as code injection, SQL injection, path traversal, and denial of service. These types of attacks can compromise the confidentiality, integrity, and availability of data.

Such compromises can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly mention the direct impact on compliance with these standards or any regulatory implications.

Useful 0 Not Useful 0