Advanced AJAX Product Filters < 3.1.9.7 – Author+ PHP Object Injection | CVE 2026-1426 | Plugin Vulnerabilities

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the shortcode_check function within the Live Composer compatibility layer. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Note: This vulnerability requires the Live Composer plugin to also be installed and active.

Affects Plugins

woocommerce-ajax-filters

Fixed in 3.1.9.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/29e76d57-217f-4f21-8bc6-a86290783a19

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada), Itthidej Aramsri (Boeing777)

Verified

No

WPVDB ID

74a177fb-f6e6-46f5-bc88-97cf95e96d20

Timeline

Publicly Published

2026-02-17 (about 3 months ago)

Added

2026-02-18 (about 3 months ago)

Last Updated

2026-02-18 (about 3 months ago)

Other

Published

Title

Published

2025-04-17

Title

Ultimate Store Kit Elementor Addons < 2.4.1 - Unauthenticated PHP Object Injection

Published

2024-04-10

Title

WordPress Geo Controller < 8.6.5 - PHP Object Injection

Published

2024-08-12

Title

Crew HRM < 1.1.2 - Unauthenticated PHP Object Injection

Published

2024-07-17

Title

Timeline Event History < 3.2 - Authenticated (Contributor+) PHP Object Injection

Published

2021-01-08

Title

Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection