CVE-2025-11993
WordPress · WooCommerce Infinite Scroll and Ajax Pagination Plugin
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection, allowing potential remote code execution.
Executive summary
A PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress allows remote attackers to compromise the integrity and security of the site.
Vulnerability
The plugin is susceptible to PHP Object Injection, which can be leveraged by an attacker to execute arbitrary code or perform unauthorized actions, assuming the application environment allows for such object deserialization.
Business impact
PHP Object Injection is a severe vulnerability that can lead to remote code execution (RCE), allowing an attacker to take full control of the WordPress instance. With a CVSS score of 8.8, this flaw poses a significant risk to site availability, data integrity, and the confidentiality of user information.
Remediation
Immediate Action: Immediately update the plugin to the latest version or remove it entirely if it is no longer required for site functionality.
Proactive Monitoring: Review security logs for anomalous PHP error messages or unexpected file modifications within the WordPress directory.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious serialized PHP objects.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Due to the severity of PHP Object Injection, administrators must treat this as a high-priority update. If a patch is unavailable, disabling the plugin is the only effective way to eliminate the risk of remote code execution until a secure version is released.