Primary

Context

Boost WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

Patched

A PHP Object Injection vulnerability has been identified in the Boost plugin for WordPress, affecting versions 2.0.3 and prior. The issue arises from the deserialization of untrusted data in the STYXKEY-BOOST_USER_LOCATION cookie, allowing unauthenticated attackers to inject PHP objects. While the vulnerable plugin itself does not have a known payload execution chain, the vulnerability could be exploited if another plugin or theme with a compatible payload execution chain is installed, potentially leading to unauthorized file deletions, sensitive data exposure, or arbitrary code execution.

Impact

Exploitation of this vulnerability could allow for PHP Object Injection, with the potential for further exploitation if a compatible payload execution chain is available through another plugin or theme.

Remediation

Users are advised to update the Boost WordPress plugin to version 2.0.4 or a later patched version.

Added: May 20, 2026, 4:20 AM

Updated: May 20, 2026, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

8.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

8.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Boost WordPress Plugin Unauthenticated PHP Object Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Pixelyoursite Boost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating