WordPress Plugin Vulnerabilities

Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels < 6.6.27 - Authenticated (Shop Manager+) PHP Object Injection

Description

The Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.6.26 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
webappick-product-feed-for-woocommerce
Fixed in 6.6.27

References

CVE
CVE-2026-39434
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f2967b6a-38e1-405b-83a3-ae6ea07b8840

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
97c2f713-db9b-4173-945b-3a3da6a45ebc

Timeline

Publicly Published
2026-04-07 (about 1 month ago)
Added
2026-04-15 (about 1 month ago)
Last Updated
2026-04-15 (about 1 month ago)

Other

Published
Title
Published
2024-04-16
Title
Master Slider < 3.9.7 - Unauthenticated PHP Object Injection
Published
2024-09-12
Title
WP Editor < 1.2.9.1 - Authenticated (Admin+) PHAR Deserialization
Published
2025-08-23
Title
PDF for WPForms < 6.5.1 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-03-04
Title
Vimeography < 2.3.3 - Contributor+ PHP Object Injection
Published
2017-10-02
Title
Flickr Gallery <= 1.5.2 - Unauthenticated PHP Object Injection