External risk intelligence

WordPress Boost plugin allows attackers to steal data or take control of your site.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7637

The Boost plugin for WordPress has a critical flaw. Attackers can potentially take control of your website or steal data if your site also has another vulnerable plugin or theme.

4Halo Surface Signal

Deserialization

External exposure likelihood

Halo Surface Signal score for CVE-2026-7637

The vulnerability exists in a WordPress plugin. As a web application component, it is processed by the web server handling incoming HTTP requests. WordPress sites are commonly deployed as public-facing web applications accessible from the internet, making this plugin's input handling surface reachable to external users.

Horizon Alert

Summary of the vulnerability and why it matters

The Boost plugin for WordPress has a critical vulnerability that could allow unauthenticated attackers to inject PHP objects. This could lead to severe consequences like deleting files or executing code, but only if another plugin or theme on the site provides the necessary components for such an attack.

Attacker can inject PHP objects.
Exploitation requires a vulnerable POP chain.
Potential for data loss or code execution.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted input in a cookie to a WordPress site running a vulnerable version of the Boost plugin. This input is deserialized, allowing the attacker to inject a PHP object if a suitable POP chain is available through another installed plugin or theme. If a POP chain exists, the attacker could potentially perform actions like deleting files or executing code.

Unauthenticated remote access required.
Vulnerable surface is cookie deserialization.
Requires another vulnerable plugin or theme.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is unlikely to be weaponized by attackers without further conditions. While the plugin is accessible via the web, the PHP Object Injection requires a specific "POP chain" from another plugin or theme to be present on the target system. Without this chain, the injection would have no impact, which significantly reduces its appeal to opportunistic attackers.

No public exploit available.
No KEV listing.
Impact is conditional on other software.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize investigating the Boost plugin for PHP Object Injection, especially if other plugins with POP chains are present. This critical vulnerability could allow unauthenticated attackers to execute code or access sensitive data by deserializing untrusted input via the STYXKEY-BOOST_USER_LOCATION cookie.

Block deserialization of untrusted input.
Monitor for unusual file activity or code execution.
Update Boost plugin to a patched version when available.

Frequently asked questions

What is the Boost plugin for WordPress and what is its function?

The Boost plugin is an add-on for WordPress, a widely-used content management system. It is designed to enhance the capabilities of WordPress websites, frequently offering features that assist in managing user location data.

What kind of security weakness does CVE-2026-7637 represent?

CVE-2026-7637 is classified as a PHP Object Injection vulnerability. This type of weakness arises when an application processes serialized data from untrusted sources, enabling an attacker to introduce malicious PHP objects that can alter the application's behavior.

How could an attacker exploit the PHP Object Injection in the Boost plugin?

An attacker could exploit this by sending a specifically crafted input within the STYXKEY-BOOST_USER_LOCATION cookie. This input is deserialized, and if a suitable POP chain exists in another plugin or theme on the site, the attacker can inject a PHP object.

What are the potential impacts if a POP chain is present alongside this vulnerability?

If a PHP Object (POP) chain is present in another plugin or theme on the target WordPress site, an attacker could leverage this vulnerability to perform significant actions. These actions might include deleting arbitrary files, accessing sensitive information, or even executing code on the server, depending on the specifics of the available POP chain.

What steps should be taken to address this vulnerability in the Boost plugin?

It is recommended to investigate the Boost plugin for this PHP Object Injection vulnerability, especially if other plugins known to contain POP chains are installed. Teams should focus on preventing the deserialization of untrusted input and monitor for any suspicious file activity or signs of code execution. Updating the Boost plugin to a version that includes a fix for this issue is also a crucial remediation step.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.