CVE-2026-22471
Published: 05 March 2026
Summary
CVE-2026-22471 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22471 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the Secudeal Payments for Ecommerce WordPress plugin (secudeal-payments-for-ecommerce), which enables Object Injection. The issue affects all versions from n/a through 1.1, as published on 2026-03-05.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network by low-privileged authenticated users with low attack complexity and no user interaction required. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to inject malicious objects during deserialization.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/secudeal-payments-for-ecommerce/vulnerability/wordpress-secudeal-payments-for-ecommerce-plugin-1-1-php-object-injection-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9583
Vulnerability details
Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through <= 1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection via untrusted deserialization in a public-facing WordPress plugin directly enables remote exploitation of the application for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and remediation of the deserialization of untrusted data flaw in the Secudeal Payments plugin.
Enforces validation of untrusted inputs to prevent deserialization of malicious objects leading to object injection.
Implements memory protections to mitigate unauthorized code execution from object injection exploits.