CVE-2026-1235

MEDIUM 6.5

WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

6th

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Vendor	unknown
Product	wp ecommerce
Published	Feb 11, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown wp ecommerce

Be the first to know when new medium vulnerabilities affecting unknown wp ecommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / WP eCommerce

0 ≤ 3.15.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/c7eb234e-3113-40db-a00d-358604d91e3f/

Credits

yiğit ibrahim sağlam WPScan