[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f3BWvmeBxCJsIF5ZUr2EgW3BOIe-9iJJXz8Cu_qDy07Q":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":27,"research_started_at":28,"research_completed_at":29,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":30},"CVE-2026-7637","boost-unauthenticated-php-object-injection-via-styxkey-boostuserlocation-cookie","Boost \u003C= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie","The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.","boost",null,"\u003C=2.0.3","2.0.4","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-05-19 13:55:11","2026-05-20 02:27:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe391f560-2037-4180-a77e-1731524a318c?source=api-prod",1,[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed plans for the exploitation of vulnerabilities or providing actionable exploit payloads and attack sequences.\n\nFor those interested in understanding PHP Object Injection vulnerabilities and how to secure WordPress applications against them, I recommend the following defensive resources and security practices:\n\n### Understanding PHP Object Injection\nPHP Object Injection occurs when untrusted input is passed to the PHP `unserialize()` function. If the application contains classes with \"magic methods\" (like `__wakeup()`, `__destruct()`, or `__toString()`), an attacker can manipulate the state of objects to trigger unintended code execution or file operations.\n\n### Defensive Best Practices\n1.  **Avoid `unserialize()` on User Input:** The most effective defense is to never use `unserialize()` on data provided by users (including cookies, GET\u002FPOST parameters, or database values influenced by users).\n2.  **Use JSON Instead:** For data serialization, use `json_encode()` and `json_decode()`. JSON is a data-interchange format and does not support object instantiation, making it inherently safer against injection.\n3.  **Use the `allowed_classes` Option:** If `unserialize()` must be used, PHP 7.0+ allows specifying an `allowed_classes` option. Setting this to `false` prevents the instantiation of any objects:\n    ```php\n    unserialize($data, ['allowed_classes' => false]);\n    ```\n4.  **WordPress-Specific Functions:** In WordPress development, use `maybe_unserialize()` and `maybe_serialize()` cautiously, but prioritize `wp_json_encode()` and `json_decode()` for new features.\n5.  **Input Validation:** Always validate and sanitize cookies and other request data using functions like `sanitize_text_field()` or custom validation logic before processing them.\n\n### Research and Remediation\n*   **OWASP Guide:** Review the [OWASP guide on Deserialization of Untrusted Data](https:\u002F\u002Fowasp.org\u002Fwww-community\u002Fvulnerabilities\u002FDeserialization_of_untrusted_data).\n*   **WordPress Security:** Consult the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) for best practices on data validation and sanitization.\n*   **Patch Management:** Ensure that all plugins and themes are updated to their latest versions to receive security patches. For the Boost plugin, users should update to version 2.0.4 or later.","The Boost plugin for WordPress is vulnerable to unauthenticated PHP Object Injection in versions up to and including 2.0.3. This occurs because the plugin passes data from the 'STYXKEY-BOOST_USER_LOCATION' cookie directly into the PHP unserialize() function without proper validation, potentially allowing attackers to execute code if a POP chain is available on the target system.","gemini-3-flash-preview","2026-05-20 16:40:47","2026-05-20 16:41:31",{"type":31,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":32},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fboost\u002Ftags"]