CVE-2026-22480
Published: 25 March 2026
Summary
CVE-2026-22480 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22480 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WebToffee Product Feed for WooCommerce WordPress plugin (webtoffee-product-feed), enabling Object Injection. The issue affects all versions from n/a through 2.3.3 inclusive. Published on 2026-03-25T17:16:30.650, it has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation is possible over the network by an attacker with high privileges, such as an authenticated administrator, requiring low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe consequences via the object injection.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/webtoffee-product-feed/vulnerability/wordpress-product-feed-for-woocommerce-plugin-2-3-3-php-object-injection-vulnerability?_s_id=cve details this PHP Object Injection vulnerability in the WordPress Product Feed for WooCommerce plugin version 2.3.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15487
Vulnerability details
Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP object injection in public-facing WordPress plugin directly enables remote exploitation for RCE by authenticated admins.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the deserialization vulnerability by requiring timely patching of the affected WebToffee Product Feed plugin to a non-vulnerable version.
Enables identification of the vulnerable plugin version through regular vulnerability scanning, facilitating prompt remediation.
Validates untrusted inputs to the plugin, reducing the risk of successful object injection via malicious serialized data.