Platform
wordpress
Component
woocommerce-product-filters
Fixed in
2.0.6
CVE-2026-40725 details a PHP Object Injection vulnerability found in the WooCommerce Product Filters plugin for WordPress. This vulnerability enables unauthenticated attackers to inject malicious PHP objects, potentially leading to unauthorized actions such as data retrieval or code execution. The vulnerability affects versions up to and including 2.0.6. A patch has been released in version 2.0.6.
CVE-2026-40725 in the WooCommerce Product Filters plugin for WordPress presents a significant risk to websites utilizing it. It's a PHP Object Injection vulnerability, meaning an unauthenticated attacker could inject a malicious PHP object. While a direct PHP Object Poisoning (POP) chain hasn't been identified within the plugin itself, the possibility of a chain existing through other plugins or themes installed on the site is real. Successful exploitation could allow an attacker to delete files, retrieve sensitive data, or even execute arbitrary code on the server, compromising the website's security and integrity.
The vulnerability is exploited through the deserialization of untrusted data. This could occur if the plugin processes user-supplied data without proper validation. An attacker could manipulate this data to inject a malicious PHP object. The absence of a direct POP chain in the plugin doesn't eliminate the risk, as the presence of other vulnerable plugins or themes could create a chain of exploitation. The complexity of exploitation will depend on the server configuration and the presence of other vulnerabilities.
Exploit Status
CVSS Vector
The most effective mitigation is to immediately update the WooCommerce Product Filters plugin to version 2.0.6 or higher. This version includes a fix for the PHP Object Injection vulnerability. Additionally, regular security audits of the website are recommended, including reviewing all installed plugins and themes for potential vulnerabilities. Keeping WordPress software and its components up-to-date is a fundamental practice for strengthening site security. Implementing a Web Application Firewall (WAF) can also help protect against attacks.
Update to version 2.0.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
It's a vulnerability that allows an attacker to inject malicious PHP objects into a system, potentially leading to arbitrary code execution.
It refers to a sequence of vulnerabilities that, when combined, allow an attacker to achieve a greater impact, such as code execution.
If updating isn't possible immediately, consider temporarily disabling the plugin until you can update it. Also, review the plugin's settings for any security options you can enable.
Check the version of the WooCommerce Product Filters plugin. If it’s older than 2.0.6, it's vulnerable. Consider a professional security audit as well.
You can find more information on vulnerability databases like the National Vulnerability Database (NVD) or the WordPress website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.