CVE-2026-49777
Published: 05 June 2026
Summary
CVE-2026-49777 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-49777 is an improper validation of specified quantity in input vulnerability, tracked under CWE-1284, that affects the Product Slider Pro for WooCommerce plugin by ShapedPlugin, LLC. The flaw exists in all versions prior to 3.5.4 and permits implantation of malicious software. It carries a CVSS 3.1 score of 10.0, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.
An unauthenticated attacker reachable over the network can supply crafted input that bypasses quantity validation checks, resulting in unauthorized implantation of malicious code. Successful exploitation grants the attacker full control over the affected WordPress site, enabling arbitrary code execution, data exfiltration, or persistence mechanisms.
The single referenced advisory from Patchstack identifies the issue as a backdoor vulnerability in the plugin and points to version 3.5.4 as the corrective release. The EPSS score remains flat at 0.0655 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34792
Vulnerability details
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated RCE via public WooCommerce plugin directly matches T1190; resulting malicious code implant/backdoor matches T1505.003.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input fields (including quantity values) to block the crafted inputs that bypass checks and implant malicious code.
Requires integrity verification of software and files to detect or block unauthorized implantation of malicious code resulting from the input-validation flaw.
Provides malicious-code detection and blocking mechanisms that can mitigate successful exploitation of the backdoor implantation vulnerability.