CVE-2026-1235

CVE-2026-1235: WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

Vendor Unknown
Product WP eCommerce
Published February 11, 2026
Last update April 2, 2026

CVSS base score

What the vulnerability does

01Description

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Explanation of Vulnerability in Simple Terms

02Summary

WP eCommerce versions 3.15.1 and earlier contain an unspecified vulnerability. Insufficient metadata prevents detailed risk assessment. Site administrators should monitor for vendor security advisories and consider updating to a version newer than 3.15.1 when available.

What an attacker can do

03Attacker Capabilities

Unknown; insufficient vulnerability details provided.

Potential impact on your site

04Site Impact

Unknown impact; patch status and severity cannot be determined from available data.

Conditions required to exploit

05Prerequisites

Unknown; insufficient vulnerability details provided.

Key dates

06Disclosure timeline

February 11, 2026 CVE published
April 2, 2026 Record updated