CVE-2025-11993: WooCommerce Infinite Scroll RCE Vulnerability

CVE-2025-11993 Overview

CVE-2025-11993 is a PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress. The flaw affects all versions up to and including 1.8. The import_settings function deserializes untrusted data passed through the settings parameter without performing capability checks. Authenticated users with Subscriber-level access or higher can inject arbitrary PHP objects. The plugin itself does not ship a Property-Oriented Programming (POP) chain, but the presence of any vulnerable POP chain in another installed plugin or theme can escalate this issue to arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability is tracked under [CWE-502].

Critical Impact
Authenticated attackers with Subscriber-level access can inject PHP objects through the import configuration feature, potentially leading to remote code execution when a POP chain exists in another installed component.

Affected Products

WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress, versions <= 1.8
WordPress installations using the plugin alongside other plugins or themes that expose POP chains
WooCommerce-based storefronts that rely on this plugin for pagination behavior

Discovery Timeline

2026-05-29 - CVE-2025-11993 published to NVD
2026-05-29 - Last updated in NVD database

Technical Details for CVE-2025-11993

Vulnerability Analysis

The plugin exposes an import_settings function intended to restore plugin configuration from a serialized payload. The function calls PHP's unserialize() on the settings parameter supplied by the requester. Because the handler lacks a capability check, any authenticated session — including Subscriber accounts created through standard WordPress registration — can reach the deserialization sink. Object injection occurs when attacker-controlled serialized data instantiates arbitrary PHP classes during deserialization. Magic methods such as __wakeup, __destruct, or __toString then execute against attacker-defined property values.

Root Cause

The root cause is unsafe deserialization of user-supplied input combined with missing authorization checks. The import_settings handler trusts the settings parameter and passes it directly to unserialize() without using a safe format such as JSON. WordPress capability functions like current_user_can('manage_options') are not enforced on the endpoint, so the privilege barrier is effectively any authenticated account.

Attack Vector

An attacker first obtains a Subscriber-level account on the target WordPress site, which is trivial when open registration is enabled. The attacker then submits a crafted serialized PHP object to the import_settings endpoint via the settings parameter. If a class defined elsewhere on the site implements a usable gadget chain through magic methods, the injected object triggers that chain. Reachable outcomes include arbitrary file deletion through __destruct gadgets, file reads through string conversion gadgets, and command execution through chains that reach call_user_func or process invocation primitives. The plugin itself contains no exploitable gadget, so the impact depends on the broader plugin and theme inventory installed on the WordPress instance. See the Wordfence Vulnerability Analysis for additional context.

Detection Methods for CVE-2025-11993

Indicators of Compromise

POST requests to admin-ajax.php or REST routes referencing import_settings from accounts holding only the Subscriber role.
settings parameter values beginning with serialized PHP markers such as O:, a:, or s: followed by class names.
Unexpected creation, modification, or deletion of files under wp-content/ shortly after such requests.
New Subscriber-level user registrations followed quickly by requests to plugin AJAX endpoints.

Detection Strategies

Inspect WordPress access logs for action=import_settings invocations and correlate the source user role with the request body.
Apply web application firewall rules that flag serialized PHP payloads in POST parameters destined for plugin endpoints.
Hash-monitor the WordPress installation directory to identify out-of-band file changes that follow plugin AJAX traffic.

Monitoring Recommendations

Alert on successful authentication followed within minutes by requests containing serialized payloads.
Track outbound network connections from the PHP-FPM or web server process to detect downstream code execution.
Audit the user table for unexpected Subscriber registrations and disable open registration where it is not required.

How to Mitigate CVE-2025-11993

Immediate Actions Required

Disable the WooCommerce Infinite Scroll and Ajax Pagination plugin until a patched release is verified.
Disable open WordPress user registration or restrict the default new user role to a non-privileged custom role.
Audit installed plugins and themes for known POP gadget chains and remove components that are not in active use.

Patch Information

No fixed version is referenced in the published advisory at the time of NVD publication. Monitor the Codecanyon Product Page and the Wordfence Vulnerability Analysis for vendor remediation updates. Apply the vendor patch as soon as it is released and validate that the import_settings handler enforces capability checks and no longer calls unserialize() on user input.

Workarounds

Deploy a WAF rule that blocks requests to plugin AJAX endpoints when the body contains serialized PHP object markers such as O: or C:.
Restrict access to wp-admin and AJAX endpoints by IP allowlist for sites that do not require public authenticated functionality.
Remove or deactivate the plugin entirely on sites where infinite scroll is not a required feature.

bash

# Example WAF rule fragment to block serialized PHP payloads in the settings parameter
SecRule ARGS:settings "@rx ^(O|C|a):[0-9]+:" \
    "id:1011993,\
     phase:2,\
     deny,\
     status:403,\
     msg:'Possible PHP object injection targeting CVE-2025-11993'"