CVE-2025-11993

WordPress · WooCommerce Infinite Scroll and Ajax Pagination Plugin

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection, allowing potential remote code execution.

Executive summary

A PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress allows remote attackers to compromise the integrity and security of the site.

Vulnerability

The plugin is susceptible to PHP Object Injection, which can be leveraged by an attacker to execute arbitrary code or perform unauthorized actions, assuming the application environment allows for such object deserialization.

Business impact

PHP Object Injection is a severe vulnerability that can lead to remote code execution (RCE), allowing an attacker to take full control of the WordPress instance. With a CVSS score of 8.8, this flaw poses a significant risk to site availability, data integrity, and the confidentiality of user information.

Remediation

Immediate Action: Immediately update the plugin to the latest version or remove it entirely if it is no longer required for site functionality.

Proactive Monitoring: Review security logs for anomalous PHP error messages or unexpected file modifications within the WordPress directory.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious serialized PHP objects.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Due to the severity of PHP Object Injection, administrators must treat this as a high-priority update. If a patch is unavailable, disabling the plugin is the only effective way to eliminate the risk of remote code execution until a secure version is released.