CVE-2026-7637: WordPress Boost Plugin PHP Object Injection via Cookie (CVSS 9.8)

Executive Summary

A critical PHP Object Injection vulnerability (CVE-2026-7637) has been discovered in the Boost plugin for WordPress, affecting all versions up to and including 2.0.3. The vulnerability carries a CVSS score of 9.8.

The flaw arises from the deserialization of untrusted input contained in the STYXKEY-BOOST_USER_LOCATION cookie, allowing unauthenticated attackers to inject arbitrary PHP objects into the application. While no known POP (Property-Oriented Programming) chain exists within the plugin itself, the presence of a PHP Object Injection point is a critical primitive — any installed plugin or theme that provides a usable POP chain could escalate this to Remote Code Execution, file deletion, data exfiltration, or full site compromise.

WordPress site operators running the Boost plugin version 2.0.3 or earlier should update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-7637
CVSS Score	9.8 (Critical)
CWE	CWE-502 — Deserialization of Untrusted Data
Type	PHP Object Injection
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Known POP Chain in Plugin	No
Patch Available	Update beyond version 2.0.3
Published	2026-05-20

Affected Versions

Plugin	Affected Versions	Fixed Version
Boost for WordPress	≤ 2.0.3	> 2.0.3 (update to latest)

Technical Analysis

Root Cause

The Boost plugin reads and deserializes the value of the STYXKEY-BOOST_USER_LOCATION HTTP cookie using PHP's unserialize() function without first validating or sanitizing the input.

PHP's unserialize() is inherently dangerous when applied to attacker-controlled data because:

Deserialization instantiates PHP objects from serialized strings
During instantiation, PHP's magic methods (__wakeup, __destruct, __toString, etc.) execute automatically
A "POP chain" — a sequence of gadgets using installed classes — can chain these magic method calls into arbitrary code execution

Attack Mechanism

Attack flow:
1. Attacker crafts a malicious PHP serialized string targeting installed gadget classes
2. Attacker sets the STYXKEY-BOOST_USER_LOCATION cookie to the malicious payload
3. WordPress processes the page request; Boost plugin reads the cookie value
4. Plugin calls unserialize() on the attacker-controlled cookie data
5. PHP instantiates attacker's object, triggering __wakeup or __destruct methods
6. If a POP chain is present in co-installed plugins/themes, this leads to:
   - Remote Code Execution
   - Arbitrary file read/write/delete operations
   - SQL injection via object manipulation
   - Server-Side Request Forgery (SSRF)

POP Chain Risk in WordPress Environments

WordPress sites typically run with dozens of plugins and themes — each adding PHP classes to the runtime. Many popular plugins (WooCommerce, Yoast SEO, various page builders) have historically contained POP chain gadgets.

Even without a known POP chain in Boost itself, the vulnerability is rated 9.8 because:

The attack surface is any WordPress site running Boost alongside other plugins
POP chains are routinely discovered and published for the WordPress ecosystem
An attacker can fingerprint installed plugins and select an appropriate chain

Impact Assessment

Impact Area	Description
Remote Code Execution	If a POP chain exists in co-installed code
Arbitrary File Operations	Read, write, or delete files on the server
Database Compromise	SQL injection via deserialized object manipulation
Site Defacement	Modification of content or installation of backdoors
Credential Theft	Access to wp-config.php and database credentials
Persistent Backdoor	Webshell installation in wp-content directories
Lateral Movement	Pivot to other sites on shared hosting

Immediate Remediation

Step 1: Update the Boost Plugin

# Via WP-CLI
wp plugin update boost
 
# Verify the installed version
wp plugin get boost --field=version
# Confirm output is greater than 2.0.3

Or update through WordPress Admin > Plugins > Installed Plugins > Boost > Update Now.

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

# Via WP-CLI
wp plugin deactivate boost
 
# Verify deactivation
wp plugin list --status=inactive | grep boost

Deploy a Web Application Firewall rule to block serialized PHP objects in the cookie header:

# Nginx: block serialized PHP objects in the Boost cookie
if ($http_cookie ~* "STYXKEY-BOOST_USER_LOCATION.*O:[0-9]+:") {
    return 403;
}

# Apache: ModSecurity rule (place in modsecurity.conf)
SecRule REQUEST_COOKIES:STYXKEY-BOOST_USER_LOCATION "@rx O:[0-9]+:" \
    "id:1000001,phase:1,deny,status:403,msg:'PHP Object Injection attempt'"

Step 4: Audit for Compromise

# Check for recently created PHP files in wp-content (potential webshells)
find /var/www/html/wp-content/ -name "*.php" \
  -newer /var/www/html/wp-includes/version.php \
  -not -path "*/cache/*" -type f
 
# Check access logs for suspicious Boost cookie payloads
grep "STYXKEY-BOOST_USER_LOCATION" /var/log/nginx/access.log | \
  grep -E "O:[0-9]+:" | tail -50
 
# Look for unauthorized administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered

Detection Indicators

Indicator	Description
`STYXKEY-BOOST_USER_LOCATION` cookie with `O:[0-9]+:` pattern	PHP serialized object in cookie
New PHP files in wp-content/ not associated with a plugin update	Potential webshell installation
Unexpected admin account creation	Post-exploitation persistence
HTTP 500 errors from PHP deserialization errors	Exploitation attempt (failed)
Unusual outbound network connections from webserver	Active post-exploitation activity

Post-Remediation Checklist

Update Boost plugin beyond version 2.0.3
Deactivate the plugin immediately if update cannot be applied
Scan wp-content directory for unauthorized PHP files or modifications
Review web server access logs for exploitation attempts
Audit all administrator accounts and remove any unauthorized entries
Reset WordPress secret keys and salts
Deploy a WAF rule blocking serialized PHP objects in the Boost cookie header
Review all co-installed plugins for known POP chain gadgets
Enable file integrity monitoring on the WordPress installation

References

Executive Summary

WordPress site operators running the Boost plugin version 2.0.3 or earlier should update immediately.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-7637
CVSS Score	9.8 (Critical)
CWE	CWE-502 — Deserialization of Untrusted Data
Type	PHP Object Injection
Attack Vector	Network
Privileges Required	None (unauthenticated)
User Interaction	None
Known POP Chain in Plugin	No
Patch Available	Update beyond version 2.0.3
Published	2026-05-20

Affected Versions

Plugin	Affected Versions	Fixed Version
Boost for WordPress	≤ 2.0.3	> 2.0.3 (update to latest)

Technical Analysis

Root Cause

The Boost plugin reads and deserializes the value of the STYXKEY-BOOST_USER_LOCATION HTTP cookie using PHP's unserialize() function without first validating or sanitizing the input.

PHP's unserialize() is inherently dangerous when applied to attacker-controlled data because:

Deserialization instantiates PHP objects from serialized strings
During instantiation, PHP's magic methods (__wakeup, __destruct, __toString, etc.) execute automatically
A "POP chain" — a sequence of gadgets using installed classes — can chain these magic method calls into arbitrary code execution

Attack Mechanism

Attack flow:
1. Attacker crafts a malicious PHP serialized string targeting installed gadget classes
2. Attacker sets the STYXKEY-BOOST_USER_LOCATION cookie to the malicious payload
3. WordPress processes the page request; Boost plugin reads the cookie value
4. Plugin calls unserialize() on the attacker-controlled cookie data
5. PHP instantiates attacker's object, triggering __wakeup or __destruct methods
6. If a POP chain is present in co-installed plugins/themes, this leads to:
   - Remote Code Execution
   - Arbitrary file read/write/delete operations
   - SQL injection via object manipulation
   - Server-Side Request Forgery (SSRF)

POP Chain Risk in WordPress Environments

Even without a known POP chain in Boost itself, the vulnerability is rated 9.8 because:

The attack surface is any WordPress site running Boost alongside other plugins
POP chains are routinely discovered and published for the WordPress ecosystem
An attacker can fingerprint installed plugins and select an appropriate chain

Impact Assessment

Impact Area	Description
Remote Code Execution	If a POP chain exists in co-installed code
Arbitrary File Operations	Read, write, or delete files on the server
Database Compromise	SQL injection via deserialized object manipulation
Site Defacement	Modification of content or installation of backdoors
Credential Theft	Access to wp-config.php and database credentials
Persistent Backdoor	Webshell installation in wp-content directories
Lateral Movement	Pivot to other sites on shared hosting

Immediate Remediation

Step 1: Update the Boost Plugin

# Via WP-CLI
wp plugin update boost
 
# Verify the installed version
wp plugin get boost --field=version
# Confirm output is greater than 2.0.3

Or update through WordPress Admin > Plugins > Installed Plugins > Boost > Update Now.

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

# Via WP-CLI
wp plugin deactivate boost
 
# Verify deactivation
wp plugin list --status=inactive | grep boost

Deploy a Web Application Firewall rule to block serialized PHP objects in the cookie header:

# Nginx: block serialized PHP objects in the Boost cookie
if ($http_cookie ~* "STYXKEY-BOOST_USER_LOCATION.*O:[0-9]+:") {
    return 403;
}

# Apache: ModSecurity rule (place in modsecurity.conf)
SecRule REQUEST_COOKIES:STYXKEY-BOOST_USER_LOCATION "@rx O:[0-9]+:" \
    "id:1000001,phase:1,deny,status:403,msg:'PHP Object Injection attempt'"

Step 4: Audit for Compromise

# Check for recently created PHP files in wp-content (potential webshells)
find /var/www/html/wp-content/ -name "*.php" \
  -newer /var/www/html/wp-includes/version.php \
  -not -path "*/cache/*" -type f
 
# Check access logs for suspicious Boost cookie payloads
grep "STYXKEY-BOOST_USER_LOCATION" /var/log/nginx/access.log | \
  grep -E "O:[0-9]+:" | tail -50
 
# Look for unauthorized administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered

Detection Indicators

Indicator	Description
`STYXKEY-BOOST_USER_LOCATION` cookie with `O:[0-9]+:` pattern	PHP serialized object in cookie
New PHP files in wp-content/ not associated with a plugin update	Potential webshell installation
Unexpected admin account creation	Post-exploitation persistence
HTTP 500 errors from PHP deserialization errors	Exploitation attempt (failed)
Unusual outbound network connections from webserver	Active post-exploitation activity

Post-Remediation Checklist

Update Boost plugin beyond version 2.0.3
Deactivate the plugin immediately if update cannot be applied
Scan wp-content directory for unauthorized PHP files or modifications
Review web server access logs for exploitation attempts
Audit all administrator accounts and remove any unauthorized entries
Reset WordPress secret keys and salts
Deploy a WAF rule blocking serialized PHP objects in the Boost cookie header
Review all co-installed plugins for known POP chain gadgets
Enable file integrity monitoring on the WordPress installation

CVE-2026-7637: WordPress Boost Plugin PHP Object Injection via Cookie (CVSS 9.8)

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Mechanism

POP Chain Risk in WordPress Environments

Impact Assessment

Immediate Remediation

Step 1: Update the Boost Plugin

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

Step 4: Audit for Compromise

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-26210: KTransformers Unsafe Deserialization RCE via Unauthenticated ZMQ RPC

CVE-2026-6279: Avada Builder Unauthenticated RCE via PHP Function Injection

CVE-2026-24207: NVIDIA Triton Inference Server Auth Bypass (CVSS 9.8)

CVE-2026-7637: WordPress Boost Plugin PHP Object Injection via Cookie (CVSS 9.8)

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Mechanism

POP Chain Risk in WordPress Environments

Impact Assessment

Immediate Remediation

Step 1: Update the Boost Plugin

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

Step 4: Audit for Compromise

Detection Indicators

Post-Remediation Checklist

References

CVE-2026-26210: KTransformers Unsafe Deserialization RCE via Unauthenticated ZMQ RPC

CVE-2026-6279: Avada Builder Unauthenticated RCE via PHP Function Injection

CVE-2026-24207: NVIDIA Triton Inference Server Auth Bypass (CVSS 9.8)

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Mechanism

POP Chain Risk in WordPress Environments

Impact Assessment

Immediate Remediation

Step 1: Update the Boost Plugin

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

Step 3: Block Malicious Cookie Payloads at the WAF

Step 4: Audit for Compromise

Detection Indicators

Post-Remediation Checklist

References

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Technical Analysis

Root Cause

Attack Mechanism

POP Chain Risk in WordPress Environments

Impact Assessment

Immediate Remediation

Step 1: Update the Boost Plugin

Step 2: If Immediate Update Is Not Possible — Disable the Plugin

Step 3: Block Malicious Cookie Payloads at the WAF

Step 4: Audit for Compromise

Detection Indicators

Post-Remediation Checklist

References