CVE-2026-1235 PUBLISHED

WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

Assigner: WPScan
Reserved: 20.01.2026 Published: 11.02.2026 Updated: 11.02.2026

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Product Status

Vendor	Unknown
Product	WP eCommerce
Versions	Default: affected affected from 0 to 3.15.1 (incl.)

Credits

yiğit ibrahim sağlam finder
WPScan coordinator

References

https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/

Problem Types

CWE-502 Deserialization of Untrusted Data CWE