Cyber Resilience

CVE-2026-49777

CriticalUpdated

Published: 05 June 2026

Published
05 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0166 73.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-49777 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-49777 is an improper validation of specified quantity in input vulnerability, tracked under CWE-1284, that affects the Product Slider Pro for WooCommerce plugin by ShapedPlugin, LLC. The flaw exists in all versions prior to 3.5.4 and permits implantation of malicious software. It carries a CVSS 3.1 score of 10.0, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An unauthenticated attacker reachable over the network can supply crafted input that bypasses quantity validation checks, resulting in unauthorized implantation of malicious code. Successful exploitation grants the attacker full control over the affected WordPress site, enabling arbitrary code execution, data exfiltration, or persistence mechanisms.

The single referenced advisory from Patchstack identifies the issue as a backdoor vulnerability in the plugin and points to version 3.5.4 as the corrective release. The EPSS score remains flat at 0.0655 with no material increase since disclosure.

EU & UK References

Vulnerability details

Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Remote unauthenticated RCE via public WooCommerce plugin directly matches T1190; resulting malicious code implant/backdoor matches T1505.003.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input fields (including quantity values) to block the crafted inputs that bypass checks and implant malicious code.

preventdetect

Requires integrity verification of software and files to detect or block unauthorized implantation of malicious code resulting from the input-validation flaw.

preventdetect

Provides malicious-code detection and blocking mechanisms that can mitigate successful exploitation of the backdoor implantation vulnerability.

References