CVE-2026-22333 HIGH

CVE-2026-22333: WordPress YITH WooCommerce Compare plugin <= 3.6.0 - Deserialization of untrusted data vulnerability

Vendor Yithemes

Product YITH WooCommerce Compare

Weakness CWE-502 · Unsafe deserialization

Published February 19, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3.6.0.

Explanation of Vulnerability in Simple Terms

02Summary

YITH WooCommerce Compare versions up to 3.6.0 contain a deserialization vulnerability in how the plugin processes untrusted data. An authenticated administrator can exploit this to execute arbitrary PHP code on the site. The vulnerability requires high-level admin access and affects confidentiality, integrity, and availability of the WordPress installation.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full admin privileges.

Potential impact on your site

04Site Impact

A compromised admin account can take complete control of your site, steal data, modify content, or install malware.

Conditions required to exploit

05Prerequisites

Attacker must have WordPress administrator account access.

Key dates

06Disclosure timeline

February 19, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-22333 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities