CVE-2026-40725: WordPress WooCommerce Product Filters plugin < 2.0.6 - PHP Object Injection vulnerability

Synopsis

PHP Object Injection is a vulnerability in the WooCommerce Product Filters plugin (by Barn2 Media Ltd) affecting all versions before 2.0.6. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation gives an attacker full read, write, and denial-of-service capabilities against the affected system. A patched-image rebuild at version 2.0.6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the web server running the affected WordPress installation.

• AuthenticationNot required

  No account or session is needed; the injection point is accessible to completely unauthenticated HTTP requests.

• Victim interactionNot required

  The attack is fully server-side and does not require any administrator or user to click a link or take any action.

• Attack complexityDetail

  Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental factors are required to trigger the vulnerability.

Blast Radius

• Reads sensitive data stored on the server, including WooCommerce customer records, order details, and WordPress credentials.
• Writes or modifies persisted data on the server, including database rows, plugin configuration, and file system content reachable by the web process.
• Crashes or degrades the affected WordPress service, causing denial of access for end users and store customers.
• Depending on the PHP classes available in the application, object injection chains may allow execution of arbitrary operating system commands on the host.