CVE-2026-1235 is a critical vulnerability in the WP eCommerce plugin for WordPress, identified as a CWE-502: Deserialization of Untrusted Data. The vulnerability arises because the plugin unserializes data received via AJAX actions without sufficient validation or sanitization. Specifically, unauthenticated users can send crafted serialized PHP objects to the plugin, which then unserializes them. If the WordPress site or its plugins/themes include suitable gadget chains—PHP classes with magic methods that can be abused—this can lead to PHP Object Injection. This injection can enable attackers to execute arbitrary PHP code remotely, potentially leading to full site compromise, data theft, or defacement. The vulnerability affects all versions up to 3.15.1 of WP eCommerce. No official patches or fixes have been released at the time of this report, and no known exploits have been observed in the wild. The vulnerability is particularly dangerous because it requires no authentication and can be triggered remotely via AJAX, increasing the attack surface. The lack of a CVSS score means severity must be assessed based on technical characteristics, which indicate a high risk due to the potential for remote code execution and the widespread use of the affected plugin in e-commerce WordPress sites.

For European organizations, especially those operating e-commerce platforms on WordPress using the WP eCommerce plugin, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to manipulate or steal sensitive customer data, disrupt business operations, or deploy malware such as ransomware. The integrity and availability of the affected websites could be severely compromised, resulting in financial losses, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The vulnerability's unauthenticated nature means attackers can exploit it without prior access, increasing the likelihood of attacks. Given the importance of e-commerce in Europe and the reliance on WordPress for online stores, the threat could affect a broad range of businesses from SMEs to large enterprises. Additionally, the potential for site defacement or use as a pivot point for further network attacks increases the overall risk profile.

Immediate mitigation steps include disabling or restricting the vulnerable AJAX actions in the WP eCommerce plugin to prevent unauthenticated unserialization of user input. Administrators should implement web application firewall (WAF) rules to detect and block suspicious serialized payloads targeting the plugin's AJAX endpoints. Conduct a thorough audit of installed plugins and themes to identify and remove or update any that provide gadget chains exploitable via PHP Object Injection. Until an official patch is released, consider temporarily disabling the WP eCommerce plugin if feasible or isolating the affected WordPress instance behind strict access controls. Monitor logs for unusual AJAX requests or serialized data submissions. Employ runtime application self-protection (RASP) solutions that can detect and block deserialization attacks. Finally, maintain regular backups and prepare incident response plans to quickly recover from potential compromises.