EIP-2026-114139
PRE-CVEWordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-114139. PoCs published by tomplixsee.
AI-analyzed exploit summary This exploit demonstrates a PHP object injection vulnerability in the WordPress plugin Ultimate Product Catalog (versions <= 4.2.24). The vulnerability arises from insecure deserialization of the 'upcp_cart_products' cookie in the 'UPCP_Add_To_Cart' function, allowing an unauthenticated attacker to inject malicious serialized objects.
Description
WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection
Exploits (1)
This exploit demonstrates a PHP object injection vulnerability in the WordPress plugin Ultimate Product Catalog (versions <= 4.2.24). The vulnerability arises from insecure deserialization of the 'upcp_cart_products' cookie in the 'UPCP_Add_To_Cart' function, allowing an unauthenticated attacker to inject malicious serialized objects.