CVE-2026-39434

Vulnerability

The CTX Feed plugin for WordPress (versions up to 6.6.26) contains a PHP Object Injection vulnerability. This issue exists in the plugin's handling of data accessible to users with the Shop Manager role. The vulnerability occurs when untrusted input is passed to unserialize(), allowing an attacker to inject arbitrary PHP objects. If a suitable POP chain is available, this can lead to code execution, SQL injection, path traversal, or denial of service [1].

Exploitation

An attacker requires a WordPress account with the Shop Manager role or higher. The attacker can craft a malicious serialized object and submit it to a vulnerable endpoint. The input is unserialized without proper sanitization, triggering the POP chain. No additional user interaction or race condition is needed [1].

Impact

Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available POP chain. The attacker gains the ability to compromise the entire WordPress site, potentially achieving full server-level access [1].

Mitigation

The vulnerability is fixed in version 6.6.27. Users should update immediately. If an update is not possible, Patchstack has issued a mitigation rule to block attacks, but the safest action is to update to the patched version [1].