Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels <= 6.6.26 - Authenticated (Shop Manager+) PHP Object Injection
Description
The Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.6.26 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=6.6.26What Changed in the Fix
Changes introduced in v6.6.27
Source Code
WordPress.org SVN# Research Plan: PHP Object Injection in CTX Feed (CVE-2026-39434) ## 1. Vulnerability Summary The **Product Feed Manager for WooCommerce (CTX Feed)** plugin is vulnerable to PHP Object Injection via the `maybe_unserialize()` function. The vulnerability occurs because several administrative and API…
Show full research plan
Research Plan: PHP Object Injection in CTX Feed (CVE-2026-39434)
1. Vulnerability Summary
The Product Feed Manager for WooCommerce (CTX Feed) plugin is vulnerable to PHP Object Injection via the maybe_unserialize() function. The vulnerability occurs because several administrative and API-related functions retrieve data from the WordPress options table and pass it through maybe_unserialize(). An authenticated attacker with Shop Manager or Admin privileges can influence the content of these options (due to insufficient sanitization in the feed configuration saving process) and then trigger their deserialization, leading to arbitrary object injection.
2. Attack Vector Analysis
- Endpoint: The vulnerability is reachable via the plugin's REST API, specifically the
manage_feedsorsettingsrelated endpoints. - Vulnerable Actions:
POST /wp-json/ctxfeed/v1/manage_feeds(Inferred for saving feed configuration)POST /wp-json/ctxfeed/v1/update_feed_status(Inferred for triggering the sink inFeed::update_feed_status)
- Payload Parameter: Any string field within a feed configuration (e.g.,
filename,mappingname, or attribute labels) which is stored viaupdate_optionwithout proper sanitization. - Authentication: Requires a user with
manage_woocommerceormanage_optionscapabilities (Shop Manager or Administrator).
Summary
The CTX Feed plugin is vulnerable to PHP Object Injection because it performs unsafe deserialization using maybe_unserialize() on data retrieved from the WordPress options table. Authenticated attackers with Shop Manager or Administrator privileges can store malicious serialized payloads in plugin settings or feed configurations and trigger their execution when the plugin retrieves and deserializes that data.
Vulnerable Code
// V5/API/RestController.php line 424 public function prepare_item_for_response( $item, $request ) { return maybe_unserialize( $item ); } --- // V5/Feed/Feed.php line 45-47 public static function update_feed_status($feed_name, $status) { $feed_name = isset( $feed_name ) ? sanitize_text_field( wp_unslash( $feed_name ) ) : false; if ( ! empty( $feed_name ) ) { $feed_info = maybe_unserialize( get_option( $feed_name ) ); --- // V5/Output/DynamicAttributes.php line 37 public static function getDynamicAttributeValue( $attribute, $merchant_attribute, $product, $config, $parent_product=null ) { //$get_attribute_value_by_type = new AttributeValueByType( $attribute, $merchant_attribute, $product, $config ); $getValue = maybe_unserialize( get_option( $attribute ) );
Security Fix
@@ -398,13 +398,31 @@ } /** + * Safe unserialize that prevents PHP Object Injection. + * + * @param mixed $data The data to unserialize. + * @return mixed The unserialized data or original if not serialized. + */ + public static function safe_unserialize( $data ) { + if ( ! is_string( $data ) ) { + return $data; + } + if ( ! is_serialized( $data ) ) { + return $data; + } + // Use allowed_classes = false to prevent object instantiation + return @unserialize( $data, array( 'allowed_classes' => false ) ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize + } + + /** * @param $item * @param $request * * @return void|\WP_Error|\WP_REST_Response */ public function prepare_item_for_response( $item, $request ) { - return maybe_unserialize( $item ); + // Use safe deserialization to prevent PHP Object Injection + return self::safe_unserialize( $item ); }
Exploit Outline
The exploit requires an attacker with Shop Manager or Administrator level permissions to perform a two-step attack. First, the attacker uses the plugin's feed management features or REST API endpoints (such as `manage_feeds`) to save a malicious serialized PHP object into a WordPress option managed by the plugin (e.g., feed configurations prefixed with `wf_feed_` or `wf_config`). Second, the attacker triggers a plugin function that retrieves this option and passes it through a deserialization sink. Functions like `update_feed_status`, `delete_feed`, or API calls that use `prepare_item_for_response` will fetch the attacker-controlled option and call `maybe_unserialize()`. If a suitable POP chain is available in any other installed plugin or theme, this allows for arbitrary file deletion, data retrieval, or remote code execution.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.