CVE-2026-1235

WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

Description

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

INFO

Published Date :

2026-02-11T06:00:08.398Z

Last Modified :

2026-04-02T12:39:57.069Z

Source :

WPScan

AFFECTED PRODUCTS

The following products are affected by CVE-2026-1235 vulnerability.

Vendors	Products
Wordpress	Wordpress
Wp Ecommerce	Wp Ecommerce

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1235.

URL	Resource
https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact