WP eCommerce WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

A PHP Object Injection vulnerability has been identified in the WP eCommerce WordPress plugin, affecting versions through 3.15.1. The issue arises because the plugin unserializes user input via AJAX actions, which could enable unauthenticated users to perform object injection when a suitable gadget is available on the blog.

Impact

Exploitation of this vulnerability allows for PHP Object Injection, which could lead to arbitrary code execution or other malicious actions, depending on the injected object and the application's context.

Reproduction

To reproduce this vulnerability, send a POST request to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'wpsc_update_customer_meta'. Include a malicious serialized payload in the 'meta_value' parameter. After injecting the payload, verify its persistence by requesting the same meta key, which should return the injected data, indicating successful exploitation.

Added: Feb 11, 2026, 6:19 AM
Updated: Feb 11, 2026, 6:19 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
10.0
exploitability
9.1
remediation
0.0
relevance
1.8
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.