PHP Object Injection Vulnerability in Advanced AJAX Product Filters for WordPress
CVE-2026-1426

8.8HIGH

Key Information:

Vendor: WordPress
Status: Advanced Ajax Product Filters
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-1426?

The Advanced AJAX Product Filters plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input during the deserialization process in the shortcode_check function of the Live Composer compatibility layer. This vulnerability can be exploited by authenticated users with Author-level privileges or higher, allowing them to inject a PHP Object. While the vulnerability itself does not directly result in harmful actions, it poses a significant risk if combined with another plugin or theme that contains a PHP Object Pollution (POP) chain. If such a chain is present, attackers may gain capabilities to delete files, access sensitive data, or execute malicious code on the affected system, particularly if the Live Composer plugin is also active.

Affected Version(s)

Advanced AJAX Product Filters 0 <= 3.1.9.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://cwe.mitre.org/data/definitions/502.html

https://plugins.trac.wordpress.org/browser/woocommerce-aj...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Jan 26, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-1426 Data

JSON