CVE-2026-7637 Overview
CVE-2026-7637 is a PHP Object Injection vulnerability in the Boost plugin for WordPress, affecting all versions up to and including 2.0.3. The flaw stems from unsafe deserialization of untrusted input passed through the STYXKEY-BOOST_USER_LOCATION cookie. Unauthenticated attackers can inject arbitrary PHP objects into the application by crafting a malicious cookie value. The Boost plugin itself does not ship a Property-Oriented Programming (POP) chain, so exploitation requires another plugin or theme with a usable gadget chain installed on the same WordPress site. When such a chain is present, attackers can delete arbitrary files, exfiltrate sensitive data, or execute arbitrary code [CWE-502].
Critical Impact
Unauthenticated attackers can inject PHP objects via a cookie, enabling code execution, file deletion, or data theft when a POP chain exists in any installed plugin or theme.
Affected Products
- PixelYourSite Boost plugin for WordPress versions ≤ 2.0.3
- WordPress installations with the Boost plugin enabled
- WordPress sites running additional plugins or themes that contain a POP chain
Discovery Timeline
- 2026-05-20 - CVE-2026-7637 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-7637
Vulnerability Analysis
The Boost plugin reads the STYXKEY-BOOST_USER_LOCATION cookie value and passes it to PHP's unserialize() function without validation. PHP deserialization reconstructs objects defined by serialized strings, invoking magic methods such as __wakeup() and __destruct() during the process. An attacker who supplies a crafted serialized payload can instantiate arbitrary classes loaded by the WordPress runtime.
The Boost plugin alone does not expose exploitable gadgets. However, WordPress environments typically load dozens of plugins and themes, any of which may define classes whose magic methods perform sensitive operations. Chaining these classes through deserialization produces a POP chain that escalates object injection into concrete impact. The attack requires no authentication and no user interaction.
Root Cause
The root cause is deserialization of untrusted input from an HTTP cookie. The plugin trusts cookie data as if it were internal state and feeds it directly into unserialize(). This violates the principle that any client-controllable channel must be treated as hostile input, particularly when the parser executes attacker-influenced control flow.
Attack Vector
An attacker sends an HTTP request to the target WordPress site with a crafted STYXKEY-BOOST_USER_LOCATION cookie containing a serialized PHP object payload. The Boost plugin deserializes the value during request handling, instantiating attacker-chosen classes. If an installed plugin or theme provides a usable gadget chain, the deserialization triggers actions such as arbitrary file deletion via __destruct() handlers, sensitive data disclosure through getters, or remote code execution through dynamic method dispatch. The attack vector is network-based and unauthenticated.
No public proof-of-concept code is currently available. For technical specifics, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-7637
Indicators of Compromise
- HTTP requests containing a STYXKEY-BOOST_USER_LOCATION cookie with values beginning with O:, a:, or other PHP serialization prefixes
- Unexpected file deletions, modifications, or creations within the WordPress installation directory
- New PHP files appearing in wp-content/uploads/ or theme directories
- Outbound network connections from the web server to attacker-controlled hosts following anomalous cookie traffic
Detection Strategies
- Inspect web server and WAF logs for cookie values matching PHP serialized object patterns such as O:\d+:"[A-Za-z_\\]+":\d+:
- Hunt for requests targeting endpoints handled by the Boost plugin that include STYXKEY-BOOST_USER_LOCATION cookies of abnormal length
- Correlate cookie anomalies with subsequent file system or process changes on the web server
Monitoring Recommendations
- Enable PHP error logging and alert on warnings from unserialize() referencing undefined classes
- Monitor WordPress file integrity using checksum baselines for plugin, theme, and core files
- Forward web server access logs to a central analytics platform and search for the affected cookie name
How to Mitigate CVE-2026-7637
Immediate Actions Required
- Update the Boost plugin to a version above 2.0.3 once a patched release is published by PixelYourSite
- Audit all installed plugins and themes and remove any that are unmaintained or unnecessary to reduce POP chain exposure
- Deploy WAF rules that block requests containing serialized PHP objects in the STYXKEY-BOOST_USER_LOCATION cookie
- Rotate WordPress secrets and credentials if exploitation is suspected
Patch Information
Review the vendor page at the PixelYourSite Boost Plugin site for the latest release. The Wordfence Vulnerability Report tracks fixed version availability. Until a fixed version is installed, treat all Boost deployments at or below version 2.0.3 as vulnerable.
Workarounds
- Disable and remove the Boost plugin until a patched version is available
- Configure a WAF or reverse proxy to strip or reject the STYXKEY-BOOST_USER_LOCATION cookie on inbound requests
- Restrict write permissions on WordPress directories to limit damage if a POP chain is triggered
# Example ModSecurity rule to block serialized PHP objects in the vulnerable cookie
SecRule REQUEST_COOKIES:STYXKEY-BOOST_USER_LOCATION "@rx ^(O|a|s|i|b|d):[0-9]+:" \
"id:1026763701,phase:1,deny,status:403,log,\
msg:'CVE-2026-7637: PHP Object Injection attempt via Boost plugin cookie'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
