WordPress Plugin Vulnerabilities

Woocommerce Category Banner Management <= 2.5.1 - Authenticated (Contributor+) PHP Object Injection

Description

The Woocommerce Category Banner Management plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.5.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
banner-management-for-woocommerce
No known fix

References

CVE
CVE-2026-22354
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e96cfa07-2640-4d5e-8057-28e42f0425b0

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
4da62fbc-2498-4c8b-b7d5-720aeee727da

Timeline

Publicly Published
2026-02-16 (about 4 months ago)
Added
2026-02-25 (about 4 months ago)
Last Updated
2026-02-25 (about 4 months ago)

Other

Published
Title
Published
2024-05-02
Title
Last Viewed Posts by WPBeginner < 1.0.1 - Unauthenticated PHP Object Injection
Published
2024-11-13
Title
AJAX Random Posts <= 0.3.3 - Unauthenticated PHP Object Injection
Published
2026-02-17
Title
Applay - Shortcodes <= 3.7 - Authenticated (Contributor+) PHP Object Injection
Published
2023-12-25
Title
Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection
Published
2025-12-12
Title
Doubly < 1.0.47 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import