How is CVE-2026-39499 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; there is no requirement for local or physical access. Authentication (required): A shop manager account (or higher) is required; any credential at that privilege level is sufficient to attempt exploitation. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker operates entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-39499?

A successful attacker reads sensitive data from the WordPress installation, including stored order records, customer personal information, and configuration secrets. The attacker writes or modifies persisted database rows and plugin configuration, enabling persistent backdoors or data tampering. The attacker can crash or degrade the affected WordPress service, disrupting storefront availability for customers. Because PHP Object Injection can chain into arbitrary code execution via existing class gadgets, the attacker may gain operating-system-level command execution inside the container.

Back to search

HIGHCVE-2026-39499Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39499: WordPress Advanced Product Fields (Product Addons) for WooCommerce plugin <= 1.6.19 - PHP Object Injection vulnerability

Q: What is CVE-2026-39499?

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin (versions up to and including 1.6.19) allows a network-accessible attacker with shop manager credentials to inject malicious PHP objects into the application. Exploitation requires a high-privilege account but no victim interaction, and successful attacks give the attacker full read, write, and availability impact over the affected WordPress installation. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-39499 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix is released.

Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin (versions up to and including 1.6.19) allows a network-accessible attacker with shop manager credentials to inject malicious PHP objects into the application. Exploitation requires a high-privilege account but no victim interaction, and successful attacks give the attacker full read, write, and availability impact over the affected WordPress installation. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-39499 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images running affected versions of the plugin, including custom-built WordPress container images.

Available

Triage

HarborGuard is capable of scoring this CVE at 7.2 HIGH (CVSS v3.1) and weighting that score against each customer environment's compliance policy to determine urgency and route the finding to the appropriate team inbox within each organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix is released.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; there is no requirement for local or physical access.
AuthenticationRequired
A shop manager account (or higher) is required; any credential at that privilege level is sufficient to attempt exploitation.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker operates entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

A successful attacker reads sensitive data from the WordPress installation, including stored order records, customer personal information, and configuration secrets.
The attacker writes or modifies persisted database rows and plugin configuration, enabling persistent backdoors or data tampering.
The attacker can crash or degrade the affected WordPress service, disrupting storefront availability for customers.
Because PHP Object Injection can chain into arbitrary code execution via existing class gadgets, the attacker may gain operating-system-level command execution inside the container.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39499, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without requiring manual action. In the interim, compensating controls worth considering include network-policy isolation that restricts wp-admin and WooCommerce shop-manager endpoints to known IP ranges, egress filtering to limit outbound calls from the WordPress container, and auditing shop manager accounts to reduce the number of credentials that could be used to reach the vulnerable code path. HarborGuard will continue surfacing this finding against any image containing plugin version 1.6.19 or earlier until a patched version is confirmed in the upstream advisory.

See how HarborGuard automates this

Affected packages

Wombat Plugins / Advanced Product Fields (Product Addons) for WooCommerce
≤ 1.6.19

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified