[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$famceu-pInbJV9-s1EY1PhVGJRMVFsOnHTh9Xo_md8hM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39434","product-feed-manager-for-woocommerce-ctx-feed-support-220-shopping-social-channels-authenticated-shop-manager-php-object","Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels \u003C= 6.6.26 - Authenticated (Shop Manager+) PHP Object Injection","The Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.6.26 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","webappick-product-feed-for-woocommerce",null,"\u003C=6.6.26","6.6.27","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-07 00:00:00","2026-04-15 19:24:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff2967b6a-38e1-405b-83a3-ae6ea07b8840?source=api-prod",9,[22,23,24,25,26,27,28,29],"README.txt","V5\u002FAPI\u002FRestController.php","V5\u002FFeed\u002FFeed.php","V5\u002FHelper\u002FFeedHelper.php","V5\u002FHelper\u002FProductHelper.php","V5\u002FOutput\u002FCategoryMapping.php","V5\u002FOutput\u002FDynamicAttributes.php","V5\u002FProduct\u002FProductAttributeFactory.php","researched",false,3,"# Research Plan: PHP Object Injection in CTX Feed (CVE-2026-39434)\n\n## 1. Vulnerability Summary\nThe **Product Feed Manager for WooCommerce (CTX Feed)** plugin is vulnerable to PHP Object Injection via the `maybe_unserialize()` function. The vulnerability occurs because several administrative and API-related functions retrieve data from the WordPress `options` table and pass it through `maybe_unserialize()`. An authenticated attacker with Shop Manager or Admin privileges can influence the content of these options (due to insufficient sanitization in the feed configuration saving process) and then trigger their deserialization, leading to arbitrary object injection.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is reachable via the plugin's REST API, specifically the `manage_feeds` or `settings` related endpoints.\n*   **Vulnerable Actions:**\n    *   `POST \u002Fwp-json\u002Fctxfeed\u002Fv1\u002Fmanage_feeds` (Inferred for saving feed configuration)\n    *   `POST \u002Fwp-json\u002Fctxfeed\u002Fv1\u002Fupdate_feed_status` (Inferred for triggering the sink in `Feed::update_feed_status`)\n*   **Payload Parameter:** Any string field within a feed configuration (e.g., `filename`, `mappingname`, or attribute labels) which is stored via `update_option` without proper sanitization.\n*   **Authentication:** Requires a user with `manage_woocommerce` or `manage_options` capabilities (Shop Manager or Administrator).\n","The CTX Feed plugin is vulnerable to PHP Object Injection because it performs unsafe deserialization using maybe_unserialize() on data retrieved from the WordPress options table. Authenticated attackers with Shop Manager or Administrator privileges can store malicious serialized payloads in plugin settings or feed configurations and trigger their execution when the plugin retrieves and deserializes that data.","\u002F\u002F V5\u002FAPI\u002FRestController.php line 424\npublic function prepare_item_for_response( $item, $request ) {\n    return maybe_unserialize( $item );\n}\n\n---\n\n\u002F\u002F V5\u002FFeed\u002FFeed.php line 45-47\npublic static function update_feed_status($feed_name, $status) {\n    $feed_name = isset( $feed_name ) ? sanitize_text_field( wp_unslash( $feed_name ) ) : false;\n    if ( ! empty( $feed_name ) ) {\n        $feed_info           = maybe_unserialize( get_option( $feed_name ) );\n\n---\n\n\u002F\u002F V5\u002FOutput\u002FDynamicAttributes.php line 37\npublic static function getDynamicAttributeValue( $attribute, $merchant_attribute, $product, $config, $parent_product=null ) {\n    \u002F\u002F$get_attribute_value_by_type = new AttributeValueByType( $attribute, $merchant_attribute, $product, $config );\n    $getValue         = maybe_unserialize( get_option( $attribute ) );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebappick-product-feed-for-woocommerce\u002F6.6.26\u002FV5\u002FAPI\u002FRestController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebappick-product-feed-for-woocommerce\u002F6.6.27\u002FV5\u002FAPI\u002FRestController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebappick-product-feed-for-woocommerce\u002F6.6.26\u002FV5\u002FAPI\u002FRestController.php\t2026-01-19 12:27:58.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwebappick-product-feed-for-woocommerce\u002F6.6.27\u002FV5\u002FAPI\u002FRestController.php\t2026-03-30 04:27:34.000000000 +0000\n@@ -398,13 +398,31 @@\n \t}\n \n \t\u002F**\n+\t * Safe unserialize that prevents PHP Object Injection.\n+\t *\n+\t * @param mixed $data The data to unserialize.\n+\t * @return mixed The unserialized data or original if not serialized.\n+\t *\u002F\n+\tpublic static function safe_unserialize( $data ) {\n+\t\tif ( ! is_string( $data ) ) {\n+\t\t\treturn $data;\n+\t\t}\n+\t\tif ( ! is_serialized( $data ) ) {\n+\t\t\treturn $data;\n+\t\t}\n+\t\t\u002F\u002F Use allowed_classes = false to prevent object instantiation\n+\t\treturn @unserialize( $data, array( 'allowed_classes' => false ) ); \u002F\u002F phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.serialize_unserialize\n+\t}\n+\n+\t\u002F**\n \t * @param $item\n \t * @param $request\n \t *\n \t * @return void|\\WP_Error|\\WP_REST_Response\n \t *\u002F\n \tpublic function prepare_item_for_response( $item, $request ) {\n-\t\treturn maybe_unserialize( $item );\n+\t\t\u002F\u002F Use safe deserialization to prevent PHP Object Injection\n+\t\treturn self::safe_unserialize( $item );\n \t}","The exploit requires an attacker with Shop Manager or Administrator level permissions to perform a two-step attack. First, the attacker uses the plugin's feed management features or REST API endpoints (such as `manage_feeds`) to save a malicious serialized PHP object into a WordPress option managed by the plugin (e.g., feed configurations prefixed with `wf_feed_` or `wf_config`). Second, the attacker triggers a plugin function that retrieves this option and passes it through a deserialization sink. Functions like `update_feed_status`, `delete_feed`, or API calls that use `prepare_item_for_response` will fetch the attacker-controlled option and call `maybe_unserialize()`. If a suitable POP chain is available in any other installed plugin or theme, this allows for arbitrary file deletion, data retrieval, or remote code execution.","gemini-3-flash-preview","2026-04-17 21:05:29","2026-04-17 21:06:26",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.6.26","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebappick-product-feed-for-woocommerce\u002Ftags\u002F6.6.26","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebappick-product-feed-for-woocommerce.6.6.26.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebappick-product-feed-for-woocommerce\u002Ftags\u002F6.6.27","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwebappick-product-feed-for-woocommerce.6.6.27.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwebappick-product-feed-for-woocommerce\u002Ftags"]