Boost WordPress Plugin Vulnerable to PHP Object Injection

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityinsecure-deserializationcwe-502
Boost WordPress Plugin Vulnerable to PHP Object Injection

The National Vulnerability Database reports a critical PHP Object Injection vulnerability, CVE-2026-7637, affecting the Boost plugin for WordPress, versions up to and including 2.0.3. This flaw stems from insecure deserialization of untrusted input found in the STYXKEY-BOOST_USER_LOCATION cookie. Unauthenticated attackers can exploit this to inject a PHP Object.

Critically, while the Boost plugin itself lacks a direct Property-Oriented Programming (POP) chain, the vulnerability becomes highly exploitable if another plugin or theme on the WordPress site does contain one. Should such a POP chain exist, attackers could leverage it to achieve significant impact, including arbitrary file deletion, sensitive data exfiltration, or even remote code execution, depending on the specific POP chain present.

This vulnerability carries a CVSS score of 9.8 (CRITICAL), underscoring the severe risk. Defenders must understand that while Boost is the entry point, the true impact hinges on the broader plugin ecosystem within their WordPress deployments. It’s a supply chain problem at the application layer.

What This Means For You

  • If your organization uses the Boost plugin for WordPress, you are exposed. The immediate action is to review your WordPress installations, identify Boost plugin usage, and assess all other installed plugins and themes for potential POP chain vulnerabilities. Even without a known POP chain in Boost itself, the critical CVSS score means this is not a vulnerability to ignore. Patch or disable immediately.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Exploit via Plugin Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7637 - Boost WordPress Plugin PHP Object Injection via Cookie

Sigma YAML — free preview 
title: CVE-2026-7637 - Boost WordPress Plugin PHP Object Injection via Cookie
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7637 by looking for requests to the Boost WordPress plugin directory containing the vulnerable 'STYXKEY-BOOST_USER_LOCATION' cookie. This cookie is used for PHP Object Injection via deserialization.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7637/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/boost/'
      cs-method:
          - 'GET'
      cs-uri-query|contains:
          - 'STYXKEY-BOOST_USER_LOCATION='
  selection_cookie_value:
      cs-uri-query|contains:
          - 'STYXKEY-BOOST_USER_LOCATION='
  condition: selection AND selection_cookie_value
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7637 Deserialization Boost plugin for WordPress versions <= 2.0.3
CVE-2026-7637 PHP Object Injection Deserialization of untrusted input in STYXKEY-BOOST_USER_LOCATION cookie
CVE-2026-7637 RCE Requires additional plugin/theme with POP chain for impact (e.g., arbitrary file deletion, sensitive data retrieval, code execution)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma