JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute
Summary
| CVE | CVE-2026-2020 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-07 02:16:12 UTC |
| Updated | 2026-04-22 21:27:27 UTC |
| Description | The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.000840000 probability, percentile 0.244030000 (date 2026-04-22)
Problem Types: CWE-502 | CWE-502 CWE-502 Deserialization of Untrusted Data
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Skatox | JS Archive List | affected 6.1.7 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-js-arc... | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c92-f24db... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-j... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-jq-arc... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-j... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/changeset | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Athiwat Tiprasaharn (en)
CNA: Itthidej Aramsri (en)
CNA: Waris Damkham (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-02-05T20:19:15.000Z | Vendor Notified |
| CNA | 2026-03-06T11:46:38.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.