CVE-2026-49781

Vulnerability

The OttoKit plugin for WordPress versions 1.1.27 and earlier is vulnerable to unauthenticated PHP object injection. An attacker can inject arbitrary serialized PHP objects via a crafted HTTP request without requiring authentication. This vulnerability can lead to remote code execution if a suitable POP (Property Oriented Programming) chain exists within the application or its dependencies. [1]

Exploitation

An unauthenticated attacker with network access to the WordPress site can exploit this vulnerability by sending a specially crafted request containing malicious serialized PHP objects. No user interaction is required. The vulnerability is expected to be used in mass-exploit campaigns, targeting thousands of sites simultaneously. [1]

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution, SQL injection, path traversal, or denial of service, depending on the available POP chain. The attacker gains full control over the affected WordPress site without any prior authentication, leading to complete compromise of confidentiality, integrity, and availability. [1]

Mitigation

The vulnerability is fixed in version 1.1.28 of the OttoKit plugin. Users should update to this version or later immediately. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied. [1]