CVE-2026-12115 Overview
CVE-2026-12115 is a PHP Object Injection vulnerability in the Counter Box WordPress plugin, affecting all versions up to and including 2.0.13. The flaw stems from insecure deserialization of untrusted input [CWE-502] during the plugin's import and list table rendering operations. Authenticated attackers with administrator-level access can inject arbitrary PHP objects through the import functionality. Deserialization triggers automatically after the post-import redirect renders the list table, and again when items are opened for editing.
Critical Impact
No native POP chain exists in the plugin itself. However, if another installed plugin or theme provides a Property-Oriented Programming (POP) chain, attackers can delete arbitrary files, exfiltrate sensitive data, or execute arbitrary code.
Affected Products
- Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin
- All versions up to and including 2.0.13
- WordPress installations with administrator-controlled import functionality
Discovery Timeline
- 2026-06-17 - CVE-2026-12115 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12115
Vulnerability Analysis
The Counter Box plugin processes serialized PHP data from import operations without validating its contents. When an administrator performs an import, the plugin stores attacker-controlled serialized data and subsequently calls PHP's unserialize() function on this input. This deserialization occurs across multiple components, including DBManager.php, ImporterExporter.php, ListTable.php, and Settings.php.
The vulnerability requires high-privilege access (administrator), which limits exploitation to scenarios involving compromised admin accounts, rogue administrators, or chained vulnerabilities that escalate privileges. The attack does not require user interaction beyond the import action itself.
Root Cause
The root cause is unsafe use of PHP unserialize() on data that originates from import payloads. The plugin treats serialized blobs as trusted because they pass through admin-only entry points. PHP deserialization invokes magic methods such as __wakeup() and __destruct() on reconstructed objects, allowing attacker-supplied class instances to trigger code paths defined elsewhere in the runtime.
Attack Vector
An authenticated administrator submits a crafted import file containing serialized PHP object payloads. The plugin persists this data and deserializes it when rendering the list table after the import redirect, and again when an item is opened for editing. If a usable POP chain exists in any other loaded plugin or theme, the injected object triggers a chain culminating in file deletion, data disclosure, or code execution.
No verified exploit code is publicly available. Refer to the Wordfence Vulnerability Report and the WordPress Plugin ImporterExporter Code for technical references.
Detection Methods for CVE-2026-12115
Indicators of Compromise
- Unexpected import operations performed by administrator accounts in the Counter Box plugin
- Serialized PHP payloads containing object markers such as O: or C: stored in plugin database tables
- Unexplained file deletions, new PHP files in the WordPress webroot, or outbound connections from wp-admin sessions
- WordPress error logs referencing unserialize(), __wakeup, or __destruct from Counter Box class files
Detection Strategies
- Monitor HTTP POST requests to Counter Box import endpoints and inspect uploaded payloads for serialized object syntax
- Audit WordPress administrator activity for anomalous import actions, particularly from accounts with infrequent admin usage
- Inspect plugin database rows for serialized strings containing class names not defined by Counter Box itself
- Correlate import events with subsequent file system changes or outbound network activity from the PHP worker process
Monitoring Recommendations
- Enable WordPress audit logging for plugin import and settings changes
- Forward web server, PHP-FPM, and WordPress logs to a centralized SIEM for correlation against admin session activity
- Alert on creation or modification of PHP files within wp-content/ outside of legitimate update windows
- Track administrator login geolocation and session patterns to identify account compromise preceding exploitation
How to Mitigate CVE-2026-12115
Immediate Actions Required
- Update the Counter Box plugin to a version newer than 2.0.13 once the vendor releases a patched release
- Audit installed plugins and themes for known POP chains that could be combined with this object injection flaw
- Review WordPress administrator accounts, remove unused accounts, and enforce multi-factor authentication on all remaining admins
- Restrict access to the WordPress admin interface using IP allow-listing or VPN-only access where feasible
Patch Information
Review the WordPress Plugin Changeset History for the latest vendor commits. Administrators should monitor the official plugin repository and the Wordfence Vulnerability Report for fixed-version availability.
Workarounds
- Deactivate the Counter Box plugin until a patched version is installed
- Block access to plugin import endpoints at the web application firewall (WAF) layer
- Remove or disable plugins and themes known to contain exploitable POP chains
- Apply the principle of least privilege by limiting the number of administrator-level WordPress accounts
# Disable the Counter Box plugin via WP-CLI until a patch is released
wp plugin deactivate counter-box
# Verify deactivation status
wp plugin status counter-box
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
