External risk intelligence

PHP Object Injection in WooCommerce Product Filters

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-40725

An unauthenticated PHP Object Injection vulnerability exists in WooCommerce Product Filters, potentially allowing attackers to execute arbitrary code. This could impact website data and functionality. Confirming relevance and exposure is advised for affected e-commerce platforms.

Deserialization

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

The vulnerability affects a WooCommerce plugin, which is specifically designed to function as a public-facing component of an e-commerce website. As an unauthenticated endpoint within a web application plugin, it is exposed to the public internet by design in normal deployment.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns an unauthenticated PHP Object Injection vulnerability in a WooCommerce Product Filters plugin, which could allow attackers to execute code on affected systems. The main concern is confirming relevance and exposure, as the plugin is designed for public-facing e-commerce websites.

  • Unauthenticated code execution risk in a shopping plugin.
  • Public-facing e-commerce plugins often have broad exposure.
  • Confirm relevance and assess your exposure to this risk.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can target the WooCommerce Product Filters plugin to inject a PHP object. This injection can occur through deserialization of untrusted input, potentially allowing the attacker to achieve significant impact if a suitable PHP Object Injection (POP) chain exists. The nature of this vulnerability means that an attacker does not need any special access to the system to initiate the attack.

  • No authentication required.
  • Triggered by deserializing untrusted input.
  • Potential for code execution or data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious PHP code into a WooCommerce plugin. This could potentially lead to the modification or deletion of data, or even complete control over the affected website, depending on the plugin's capabilities and the server's configuration.

  • Website data and functionality.
  • Via unauthenticated network requests.
  • Complete site compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

The unauthenticated PHP Object Injection vulnerability in WooCommerce Product Filters likely requires action from the e-commerce application owner or the team managing the WordPress environment. The first practical step is to identify all instances of the affected plugin, confirm their accessibility from the internet, and assess their business criticality to prioritize remediation efforts.

  • Application owners should own the issue.
  • Verify plugin reachability and business criticality.
  • Plan and coordinate vendor-provided fixes.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-40725 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Unauthenticated PHP Object Injection in WooCommerce Product Filters is a critical vulnerability that could allow unauthenticated attackers to inject a PHP Object, potentially leading to arbitrary file deletion, sensitive data retrieval, or code execution. This type of vulnerabili

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the WooCommerce Product Filters plugin?

It is a WordPress plugin used to add advanced search and filtering features to online stores. It helps customers browse products by attributes like price, size, or color, directly influencing how a website processes user search requests and renders its storefront pages.

What does PHP Object Injection mean in CVE-2026-40725?

This vulnerability, classified as CWE-502, occurs when an application processes untrusted user data without sufficient validation. By injecting a malicious object, an attacker can manipulate how the plugin handles internal data, which may lead to unauthorized code execution or unintended actions within the server environment.

How does an attacker trigger this vulnerability?

An attacker initiates the vulnerability by sending a specially crafted network request to the plugin that triggers the insecure deserialization of data. Note that this attack does not require the user to be logged in, and valid administrative credentials or specific prior knowledge of the system configuration are not needed to initiate the attempt.

Is my website at risk from this vulnerability?

Because this plugin is intended for public-facing e-commerce storefronts, Halo Surface Signal flags it as highly likely to be exposed to the internet. If your site uses an affected version of this plugin, it is reachable by external actors by default. You should check if your storefront is accessible online, as this increases the likelihood that it could be targeted.

What steps should I take if I use this plugin?

Start by identifying every WordPress instance where this plugin is currently installed. Verify which sites are public-facing to determine your immediate risk, then prioritize updating your installations to a patched version once provided by the vendor. Coordinate with your technical team to track and verify these updates across your environment.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished