CVE-2026-39434: WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
Metrics
- CVSS v3.1
- 7.2
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
PHP Object Injection vulnerability in the CTX Feed WordPress plugin (versions 6.6.26 and earlier) allows a network-accessible attacker with shop manager-level credentials to inject a malicious serialized PHP object into the application. The flaw is reachable over the network and requires no victim interaction once the attacker is authenticated. Successful exploitation gives the attacker full read, write, and crash capability over the affected environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the CTX Feed plugin.
AvailableHarborGuard can score this finding at CVSS 7.2 (HIGH) and apply per-environment compliance policy weighting to determine urgency tier. Routing to the appropriate team inbox within each customer organization is available as part of the standard triage workflow.
AvailableNo fix version has been published upstream for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once an upstream patch lands.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable endpoint is externally exposed in typical deployments.
- AuthenticationRequired
A shop manager account (or higher) is required; any credential granting that role is sufficient to trigger the injection.
- Victim interactionNot required
No user action or social engineering is needed once the attacker holds a valid shop manager session.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race condition or special memory layout is required to craft a malicious serialized object.
Blast Radius
- Reads stored data including order records, customer PII, and configuration secrets held by the WordPress application.
- Modifies or overwrites persisted database rows and file-system content accessible to the PHP process.
- Crashes the affected service or renders the WordPress site unavailable by corrupting application state during deserialization.
- Depending on the PHP environment, arbitrary code execution through a suitable POP chain may be reachable, giving full server-level access.
How HarborGuard Handles This
Available on HarborGuard: detection is active for images containing CTX Feed 6.6.26 and earlier, with findings surfaced in each customer's scan results as soon as the image is processed. Because no upstream fix has been published, HarborGuard monitors the Patchstack advisory and the WebAppick release channel on every ingest cycle. In the interim, customers can apply compensating controls through HarborGuard network-policy suggestions, such as restricting wp-admin and REST API routes to known IP ranges, isolating the WordPress container from internal services it does not need to reach, and auditing shop manager account assignments to reduce the pool of credentials that could be abused. The moment a patched version is published upstream, a rebuilt image will become available; for customers with auto-remediation enabled, a regression-tested PR against affected workloads will open automatically.
- WebAppick / CTX Feed≤ 6.6.26
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H