Vulnerabilities

CVE-2026-2020 - JS Archive List <= 6.1.7 - authenticated (contributor+) php object injection via ...

2026-03-07 0 views admin
CVE-2026-2020 - JS Archive List <= 6.1.7 - authenticated (contributor+) php object injection via ...

CVE ID :CVE-2026-2020 Published : March 7, 2026, 2:16 a.m. | 1 hour, 10 minutes ago Description :The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Severity: 7.5 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Severity
HIGH
Published
March 7, 2026
Affected Product: WordPress

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2026-2020highwordpress

More from Vulnerabilities

CVE-2025-14353 - ZIP Code Based Content Protection <= 1.0.2 - unauthenticated sql injection via '...

CVE-2025-14353 - ZIP Code Based Content Protection <= 1.0.2 - unauthenticated sql injection via '...

2026-03-07 0
CVE-2026-1902 - Hammas Calendar <= 1.5.11 - authenticated (contributor+) stored cross-site script...

CVE-2026-1902 - Hammas Calendar <= 1.5.11 - authenticated (contributor+) stored cross-site script...

2026-03-07 0
CVE-2026-1650 - MDJM Event Management <= 1.7.8.1 - missing authorization to unauthenticated arbit...

CVE-2026-1650 - MDJM Event Management <= 1.7.8.1 - missing authorization to unauthenticated arbit...

2026-03-07 0
CVE-2026-2494 - ProfileGrid <= 5.9.8.2 - cross-site request forgery to group membership request a...

CVE-2026-2494 - ProfileGrid <= 5.9.8.2 - cross-site request forgery to group membership request a...

2026-03-07 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views