CVE-2026-40725
Deferred Deferred - Pending Action
Unauthenticated PHP Object Injection in WooCommerce Product Filters

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated PHP Object Injection in WooCommerce Product Filters < 2.0.6 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-40725
EUVD
EUVD-2026-37594
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
woocommerce woocommerce to 2.0.6 (exc)
barn2_plugins woocommerce_product_filters to 2.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated PHP Object Injection which can lead to code execution, SQL injection, path traversal, and denial of service attacks. Such security breaches can result in unauthorized access to sensitive data, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.

Failure to patch this vulnerability promptly could lead to data breaches, exposing organizations to legal and regulatory penalties under these standards.

Executive Summary

The vulnerability is an unauthenticated PHP Object Injection flaw found in versions of the WooCommerce Product Filters plugin below 2.0.6.

This flaw allows attackers to inject malicious PHP objects without needing to be authenticated, potentially enabling them to execute arbitrary code or perform other harmful actions.

Impact Analysis

This vulnerability has a very high severity score of 9.8 and can lead to serious impacts including code injection, SQL injection, path traversal, denial of service, and other malicious activities.

If exploited, attackers could take control of the affected website, disrupt services, access sensitive data, or cause significant damage.

The vulnerability is expected to be targeted in mass campaigns affecting thousands of websites, making immediate mitigation critical.

Detection Guidance

The vulnerability affects WordPress WooCommerce Product Filters Plugin versions below 2.0.6. Detection involves verifying the installed plugin version to see if it is older than 2.0.6.

There are no specific commands provided in the available resources to detect exploitation attempts or presence of the vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation requires updating the WooCommerce Product Filters Plugin to version 2.0.6 or later, which contains the patch for this PHP Object Injection vulnerability.

Alternatively, applying a mitigation rule provided by Patchstack can help reduce the risk until the plugin is updated.

Because the vulnerability is highly dangerous and expected to be exploited in mass campaigns, prompt action is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40725. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart