CVE-2026-25316 HIGH

CVE-2026-25316: WordPress CartFlows plugin <= 2.1.19 - PHP Object Injection vulnerability

Vendor Brainstorm Force

Product CartFlows

Weakness CWE-502 · Unsafe deserialization

Published February 19, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.

Explanation of Vulnerability in Simple Terms

02Summary

CartFlows versions up to 2.1.19 contain a deserialization vulnerability that allows high-privileged users to execute arbitrary code on the site. An attacker with admin or equivalent access can craft malicious serialized data to trigger unintended PHP execution. Sites running affected versions should update immediately to patch this privilege-escalation risk.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full site privileges.

Potential impact on your site

04Site Impact

A compromised admin account can fully compromise the site, steal data, or inject malware.

Conditions required to exploit

05Prerequisites

Attacker must have high-level admin or equivalent access to the site.

Key dates

06Disclosure timeline

February 19, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-25316 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities