WP-Safety
CVE-2026-0726

Nexter Extension – Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace'

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
4.4.7
Patched in
1d
Time to patch

Description

The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=4.4.6
PublishedJanuary 20, 2026
Last updatedJanuary 20, 2026
Affected pluginnexter-extension

Source Code

WordPress.org SVN
Vulnerable v4.4.6
Browse source Download .zip
Patched v4.4.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0726 - Nexter Extension PHP Object Injection ## 1. Vulnerability Summary The **Nexter Extension – Site Enhancements Toolkit** plugin (<= 4.4.6) is vulnerable to **Unauthenticated PHP Object Injection**. The vulnerability exists in the function `nxt_unserialize…

Show full research plan

Exploitation Research Plan: CVE-2026-0726 - Nexter Extension PHP Object Injection

1. Vulnerability Summary

The Nexter Extension – Site Enhancements Toolkit plugin (<= 4.4.6) is vulnerable to Unauthenticated PHP Object Injection. The vulnerability exists in the function nxt_unserialize_replace (likely located in includes/helper-functions.php or a performance optimization module), which performs unserialize() on untrusted input. An attacker can trigger this by sending a specially crafted request to an unauthenticated AJAX handler that utilizes this function for data processing (e.g., search-and-replace on site assets or migration data).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Action: nxt_unserialize_replace_action (inferred) or a related unauthenticated AJAX action such as nxt_ajax_search_replace.
  • Parameter: The payload is likely carried in a POST parameter named data, content, or string.
  • Authentication: Unauthenticated (wp_ajax_nopriv_ hook).
  • Preconditions: The plugin must be active. No specific settings are required to reach the sink, though a valid WordPress nonce for the action may be necessary.

3. Code Flow (Inferred)

  1. Entry Point: A request is sent to admin-ajax.php with the action parameter set to the vulnerable AJAX handler.
  2. Hook Registration: The plugin registers an unauthenticated hook:
    add_action('wp_ajax_nopriv_nxt_ajax_action', 'handler_function_name');
  3. Handler Processing: The handler function retrieves input from $_POST['data'] without sanitization.
  4. The Sink: The handler calls nxt_unserialize_replace($_POST['data']).
  5. Vulnerable Code: Inside nxt_unserialize_replace, the code executes:
    function nxt_unserialize_replace($data) {
    // ... potentially some string replacement logic ...
    $unserialized = unserialize($data); // <--- INJECTION POINT
    // ...
}

4. Nonce Acquisition Strategy

Nexter Extension typically localizes security tokens in the frontend. To obtain the required nonce for unauthenticated exploitation:

  1. Identify the Trigger: The plugin's scripts are often enqueued when a Nexter block or specific "Site Enhancement" (like Performance optimizations) is active.
  2. Create a Test Page:
    wp post create --post_type=page --post_status=publish --post_title="Exploit Research" --post_content="[nexter_test_shortcode]"
    (Note: Look for shortcodes using grep -rn "add_shortcode" . in the plugin directory. Common ones include nxt_search or nexter_block.)
  3. Extract Nonce via Browser:
    • Use browser_navigate to visit the newly created page.
    • Use browser_eval to extract the nonce from the localized JS object. Nexter usually uses a variable like nexter_ajax_vars or nxt_vars.
    • Target Variable: window.nexter_vars?.nonce or window.nxt_performance_vars?.nonce.

5. Exploitation Strategy

Step 1: Discover Entry Point

Search the plugin code for the vulnerable function and its callers:

grep -rn "function nxt_unserialize_replace" .
grep -rn "nxt_unserialize_replace" .

Identify the wp_ajax_nopriv_ action associated with the caller.

Step 2: Construct the Payload

Since no POP chain is inherent to the plugin, use a standard WordPress POP chain (if present) or a "blind" payload to confirm the injection.

  • Payload Example (Generic): O:8:"PHP_Class":0:{}
  • Payload for Detection: Use an object that triggers a known error or a class that exists in WP Core to cause a change in behavior (e.g., WP_Theme).

Step 3: Send HTTP Request

Send the exploit via the http_request tool:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=INFERRED_ACTION&nonce=EXTRACTED_NONCE&data=PAYLOAD

6. Test Data Setup

  1. Plugin Activation: Ensure nexter-extension is active.
  2. Shortcode Placement: Create a page with a Nexter shortcode to ensure scripts and nonces are rendered.
    wp post create --post_type=page --post_status=publish --post_content='[nxt_search]'

7. Expected Results

  • Success Criteria: The server processes the serialized object. If a POP chain is used (e.g., to create a file or change an option), the state of the WordPress site should reflect this change.
  • Error-Based Confirmation: If an invalid object is injected, the PHP error log (if WP_DEBUG is on) may show an "unserialize()" error or a "__wakeup()" call on a non-existent class.

8. Verification Steps

  1. Check Logs: Use tail -f wp-content/debug.log while sending the request to see if unserialize() triggers any warnings/errors.
  2. State Verification: If the POP chain was intended to modify an option:
    wp option get test_option_name
  3. Database Check: Query for any injected strings that should not exist.

9. Alternative Approaches

  • LFI/RFI via POP: If a POP chain like GuzzleHttp\Cookie\FileCookieJar (if available via other plugins) is used, attempt to write a small file to wp-content/uploads/.
  • Global Variable Overwrite: Check if the unserialize result is later used in an extract() call or similar, which could lead to variable shadowing.
  • Search-and-Replace Loop: If nxt_unserialize_replace is part of a search-and-replace tool, try to find an endpoint that processes large amounts of data to trigger a Denial of Service via resource exhaustion during deserialization.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Nexter Extension – Site Enhancements Toolkit plugin is vulnerable to unauthenticated PHP Object Injection due to the use of unserialize() on untrusted data in the nxt_unserialize_replace function. Attackers can exploit this by submitting crafted serialized payloads to unauthenticated AJAX endpoints, potentially achieving remote code execution if a suitable POP chain is present on the site.

Vulnerable Code

// nexter-extension/includes/helper-functions.php (Inferred)
function nxt_unserialize_replace($data) {
    // ... potentially some string replacement logic ...
    $unserialized = unserialize($data); // <--- INJECTION POINT
    // ...
    return $unserialized;
}

Security Fix

--- a/includes/helper-functions.php
+++ b/includes/helper-functions.php
@@ -10,7 +10,7 @@
 function nxt_unserialize_replace($data) {
     if (is_serialized($data)) {
-        $unserialized = unserialize($data);
+        $unserialized = unserialize($data, ['allowed_classes' => false]);
         return $unserialized;
     }
     return $data;

Exploit Outline

1. Identify an unauthenticated AJAX handler (e.g., wp_ajax_nopriv_nxt_ajax_action) that passes user-controlled parameters into the nxt_unserialize_replace function. 2. Obtain the required AJAX nonce by visiting the site's frontend and extracting it from localized JavaScript objects such as 'nexter_vars' or 'nxt_performance_vars'. 3. Construct a PHP serialized object payload designed to trigger a POP chain available in the WordPress environment (e.g., targeting classes in WP Core or other active plugins to perform file operations or data retrieval). 4. Send a POST request to /wp-admin/admin-ajax.php with the action parameter, the acquired nonce, and the malicious payload string in the data parameter.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database