PHP Object Injection Vulnerability in Advanced AJAX Product Filters for WordPress
CVE-2026-1426

8.8HIGH

Key Information:

Vendor

WordPress
Status
Advanced Ajax Product Filters
Vendor
CVE Published:
18 February 2026

What is CVE-2026-1426?

The Advanced AJAX Product Filters plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input during the deserialization process in the shortcode_check function of the Live Composer compatibility layer. This vulnerability can be exploited by authenticated users with Author-level privileges or higher, allowing them to inject a PHP Object. While the vulnerability itself does not directly result in harmful actions, it poses a significant risk if combined with another plugin or theme that contains a PHP Object Pollution (POP) chain. If such a chain is present, attackers may gain capabilities to delete files, access sensitive data, or execute malicious code on the affected system, particularly if the Live Composer plugin is also active.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Advanced AJAX Product Filters * <= 3.1.9.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://cwe.mitre.org/data/definitions/502.html
https://plugins.trac.wordpress.org/browser/woocommerce-aj...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Athiwat Tiprasaharn
Itthidej Aramsri
JSON
.