CVE-2026-39499
Description
PHP Object Injection in Advanced Product Fields for WooCommerce ≤1.6.19 allows shop managers to trigger arbitrary code execution via a POP chain.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PHP Object Injection in Advanced Product Fields for WooCommerce ≤1.6.19 allows shop managers to trigger arbitrary code execution via a POP chain.
Vulnerability
The vulnerability is a PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin version 1.6.19 and earlier. It resides in the handling of user-supplied input by shop managers, allowing deserialization of untrusted data. Affected versions: <=1.6.19 [1].
Exploitation
An attacker with shop manager privileges can craft a malicious serialized object and inject it via a vulnerable parameter. The plugin deserializes the input without proper sanitization, enabling the attacker to trigger a POP (Property Oriented Programming) chain if a suitable gadget is present in the environment [1].
Impact
Successful exploitation can lead to arbitrary code execution, SQL injection, path traversal, denial of service, and other impacts depending on available POP chains. The attacker gains the ability to execute arbitrary PHP code, potentially leading to full site compromise [1].
Mitigation
Update to version 1.6.20 or later, which fixes the vulnerability. If immediate update is not possible, apply a virtual patch or mitigation rule (e.g., Patchstack provides a rule to block attacks). No other workarounds are mentioned [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.6.19
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.