PHP Object Injection Vulnerability in Boost Plugin for WordPress
CVE-2026-7637

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Boost
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-7637?

The Boost plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie in versions up to 2.0.3. This vulnerability allows unauthenticated attackers to inject PHP Objects, potentially leading to serious security implications. Notably, the absence of a known PHP Object Injection (POP) chain means that this flaw alone does not pose a direct threat unless combined with other plugins or themes that contain a POP chain. In scenarios where a POP chain is present, attackers could execute critical actions such as deleting files, accessing sensitive information, or executing arbitrary code.

Affected Version(s)

Boost 0 <= 2.0.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.pixelyoursite.com/boost-plugin

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 1, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-7637 Data

JSON