← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-7637 · CWE-502 · Disclosed 2026-05-20

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded nail gun shipped without nails, dangerous only if the rest of the toolbox supplies them

CVE-2026-7637 is an unauthenticated PHP object injection in the WordPress Boost plugin affecting versions <= 2.0.3, triggered by unsafe deserialization of the STYXKEY-BOOST_USER_LOCATION cookie. Any public-facing WordPress site running the plugin can be reached remotely, and the bug sits on a low-friction input path: an attacker just sends a crafted cookie and lets PHP rebuild attacker-controlled objects.

The vendor-style 9.8/CRITICAL score overstates fleet-wide reality because the vulnerable plugin does not include its own POP chain. Per Wordfence, impact only materializes if some *other* installed plugin or theme supplies usable gadgets. That is still dangerous in plugin-heavy WordPress estates, but it is not the same thing as standalone pre-auth RCE; the missing gadget chain is the decisive friction point that pulls this down to HIGH instead of leaving it at CRITICAL.

"Pre-auth on paper, but it needs a second bug to land; that drops this from CRITICAL to HIGH"
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the public site and plant a malicious cookie with curl or Burp

The attacker sends an HTTP request to any page that executes the vulnerable plugin logic and includes a crafted STYXKEY-BOOST_USER_LOCATION cookie. Tooling is trivial: curl, Burp Repeater, or any mass-scan framework can do it because there is no authentication or user interaction requirement.
Conditions required:
  • Target runs Boost plugin version <= 2.0.3
  • Target site is reachable over HTTP/HTTPS
  • Plugin code path processes the cookie on the request
Where this breaks in practice:
  • Commercial/niche plugin means smaller exposed population than mass-market WordPress plugins
  • Some sites may not execute the vulnerable code path on all routes
  • CDN/WAF layers may normalize or drop obviously malformed cookies
Detection/coverage: Version scanners can identify boost <= 2.0.3 from plugin files, backup inventories, or authenticated WordPress enumeration. Network IDS can flag suspicious serialized-object patterns in the STYXKEY-BOOST_USER_LOCATION cookie, but generic scanners will not prove exploitability.
STEP 02

Trigger unserialize() and instantiate attacker-chosen objects

The vulnerable code deserializes untrusted cookie data, allowing arbitrary object creation inside the live WordPress/PHP process. At this point the attacker has object injection, not guaranteed code execution; the runtime must contain a gadget chain that converts object construction and magic methods into a meaningful action.
Conditions required:
  • PHP deserialization is reached before request rejection
  • Required classes are autoloaded or available in the WordPress runtime
Where this breaks in practice:
  • Object injection alone is often a dead end without useful magic methods
  • Class availability varies by site based on installed plugins/themes
  • Hardened PHP error handling can make some payloads noisy and less reliable
Detection/coverage: Application logs may show malformed cookie values or PHP warnings/notices. EDR rarely sees this until post-exploitation effects occur.
STEP 03

Borrow a gadget chain from another plugin or theme with PHPGGC

To weaponize the bug, the attacker needs a Property-Oriented Programming chain from some other installed component. In practice, operators commonly use PHPGGC-style gadget selection once they fingerprint the plugin/theme stack, then serialize an object graph that leads to file deletion, file read, or command execution.
Conditions required:
  • At least one installed plugin or theme exposes a usable POP chain
  • Attacker can fingerprint the application stack accurately enough to choose a chain
Where this breaks in practice:
  • This is the biggest brake on severity: the vulnerable plugin ships with no known POP chain
  • Modern WordPress estates differ wildly, so reliable one-size-fits-all exploitation is hard
  • Dead chains and version mismatches create a high failure rate in broad spray attempts
Detection/coverage: No common scanner can reliably assert gadget-chain presence across every plugin/theme combination without authenticated file inspection or SBOM-grade inventory. This is where most vendor CVSS math detaches from real operations.
STEP 04

Convert object injection into site compromise

If a valid chain is present, the attacker can reach impacts such as arbitrary file deletion, sensitive data retrieval, or code execution in the web server context. On WordPress, that typically means credential theft from wp-config.php, webshell placement, or full site takeover; on shared hosting, blast radius may extend to neighboring sites depending on isolation.
Conditions required:
  • Successful POP chain execution
  • Web server account has filesystem access needed for the chosen impact
Where this breaks in practice:
  • Shared hosting isolation and read-only deployments can limit privilege after compromise
  • Some gadget outcomes only yield file operations, not immediate shell access
  • Post-exploitation can still be stopped by EDR, immutable infrastructure, or container rebuilds
Detection/coverage: Look for unexpected PHP file writes, plugin/theme file changes, webshell indicators, suspicious outbound callbacks, and access to sensitive files. Traditional vuln scanning ends before this stage.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo reviewed source showed confirmed active exploitation for CVE-2026-7637. I found no KEV listing and no vendor or researcher statement claiming live campaigns.
KEV statusNot present in the current CISA KEV catalog in reviewed sources.
Proof-of-concept availabilityNo public exploit repo was found in reviewed sources. Practical weaponization would likely use generic serializers such as curl/Burp plus a gadget-chain toolkit like PHPGGC, but a working exploit is site-specific because another installed plugin/theme must supply the POP chain.
EPSSUser-supplied EPSS is 0.00148 (~0.148%), which is low and aligns with the real-world friction introduced by the missing built-in gadget chain.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores the *technical ceiling*: remote, unauthenticated, no user action. What it misses is the extra prerequisite of a separate POP chain.
Affected versionsBoost plugin for WordPress <= 2.0.3 according to Wordfence and Patchstack.
Fixed versionPatch in 2.0.4. I did not find distro/package-manager backport guidance; this looks like a direct WordPress plugin upgrade case.
Exposure populationThis is a public-web WordPress issue, so the vulnerable population is inherently internet-reachable. However, reviewed sources did not provide Shodan/Censys/FOFA counts or GreyNoise telemetry for this application-layer cookie issue.
Disclosure timelineNVD published on 2026-05-20; Wordfence shows public publication on 2026-05-19; Patchstack lists publication on 2026-05-27.
Researcher / sourceCredited researcher: Osvaldo Noe Gonzalez Del Rio (Os), per Wordfence and Patchstack.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.1/10)

The single most important factor is that exploitation is not self-contained: the vulnerable plugin does not provide its own POP chain, so the attacker must find a second vulnerable or gadget-rich component already installed. That keeps this dangerous for plugin-dense public WordPress estates, but it materially narrows reliability and population-wide exploitability versus a true standalone pre-auth RCE.

HIGH Affected version range and patched version (`<= 2.0.3`, fixed in `2.0.4`)
HIGH Exploit-chain friction from missing built-in POP chain
MEDIUM Real-world exploitation prevalence across enterprise WordPress fleets

Why this verdict

  • Downgrade from 9.8 because a second prerequisite exists: the attacker needs a usable POP chain from another installed plugin or theme, which is a hard real-world dependency not captured in the base CVSS.
  • Still HIGH because attacker position is excellent: this is unauthenticated, remote, internet-reachable input via a cookie on public WordPress sites, so initial access friction is otherwise very low.
  • Blast radius can still be ugly on the right site: when a gadget chain exists, the attacker may reach file read, file deletion, or code execution in the web context, which is enough for WordPress takeover and secret theft.

Why not higher?

It is not CRITICAL because the exploit chain is incomplete in the vulnerable product itself. A vulnerability that needs public reachability plus a separate gadget-bearing plugin/theme is materially less reliable than direct pre-auth RCE, and that extra dependency should count heavily in enterprise prioritization.

Why not lower?

It is not MEDIUM because the first half of the chain is extremely easy: remote, unauthenticated, and cookie-based on a public web app. In WordPress environments with many plugins and themes, the odds of a usable gadget chain are not theoretical, so the residual risk remains too high to relegate to routine backlog work.

05 · Compensating Control

What to do — in priority order.

  1. Upgrade to 2.0.4+ — Apply the vendor fix everywhere the Boost plugin is present. For a HIGH verdict, complete this within 30 days as the practical mitigation target and no later than the patch deadline called out in bottom_line.
  2. Block serialized cookie payloads — Add WAF or reverse-proxy rules to inspect the STYXKEY-BOOST_USER_LOCATION cookie for PHP serialization markers and oversized/encoded payloads. This is a compensating control, not a guaranteed fix, and should be deployed within 30 days where immediate plugin updates are operationally hard.
  3. Prune unused plugins and themes — Reduce gadget-chain surface by removing inactive or abandoned plugins/themes, especially on marketing sites with plugin sprawl. This matters here because the exploit becomes dangerous only when another component contributes the POP chain; start cleanup within 30 days.
  4. Restrict public exposure where possible — If some sites using this plugin do not need broad internet reach, gate them behind VPN, SSO proxy, IP allowlists, or maintenance mode while you patch. That cuts off the unauthenticated remote entry point and should be implemented within 30 days for exceptions.
  5. Hunt for post-exploitation artifacts — Review for unexpected plugin/theme file changes, suspicious PHP drops, webshells, and access to wp-config.php. This should begin immediately on high-value or plugin-dense WordPress estates because compromise, if it lands, usually becomes a content-management and credential-theft problem fast.
What doesn't work
  • MFA for WordPress admins does not stop the vulnerable path because this bug is pre-auth and cookie-driven.
  • Hiding /wp-admin or changing login URLs` is irrelevant; the attack hits public request handling, not the authentication workflow.
  • Relying on CVSS alone is exactly the mistake here: the score captures theoretical impact but ignores the missing built-in POP chain.
06 · Verification

Crowdsourced verification payload.

Run this on the target WordPress host as a user that can read the WordPress files; root is not required unless file permissions are locked down. Invoke it with the plugin directory path, for example: bash check_boost_cve_2026_7637.sh /var/www/html/wp-content/plugins/boost.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_boost_cve_2026_7637.sh
# Detects whether the WordPress Boost plugin version is vulnerable to CVE-2026-7637.
# Usage: bash check_boost_cve_2026_7637.sh /path/to/wp-content/plugins/boost
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / error

set -u

TARGET_PATH="${1:-}"

if [[ -z "$TARGET_PATH" ]]; then
  echo "UNKNOWN - usage: $0 /path/to/wp-content/plugins/boost"
  exit 2
fi

if [[ ! -d "$TARGET_PATH" ]]; then
  echo "UNKNOWN - plugin directory not found: $TARGET_PATH"
  exit 2
fi

version=""

# Try common plugin entrypoint files first.
for f in "$TARGET_PATH/boost.php" "$TARGET_PATH/index.php"; do
  if [[ -f "$f" ]]; then
    v=$(grep -Eim1 '^[[:space:]]*Version:[[:space:]]*[0-9][0-9A-Za-z._-]*' "$f" | sed -E 's/^[[:space:]]*Version:[[:space:]]*//I' | tr -d '\r')
    if [[ -n "$v" ]]; then
      version="$v"
      break
    fi
  fi
done

# Fallback to readme.txt stable tag.
if [[ -z "$version" && -f "$TARGET_PATH/readme.txt" ]]; then
  v=$(grep -Eim1 '^[[:space:]]*Stable tag:[[:space:]]*[0-9][0-9A-Za-z._-]*' "$TARGET_PATH/readme.txt" | sed -E 's/^[[:space:]]*Stable tag:[[:space:]]*//I' | tr -d '\r')
  if [[ -n "$v" ]]; then
    version="$v"
  fi
fi

if [[ -z "$version" ]]; then
  echo "UNKNOWN - unable to determine installed Boost plugin version"
  exit 2
fi

# Normalize a leading 'v'
version="${version#v}"

# Compare using sort -V; assumes GNU coreutils available on most Linux hosts.
if [[ "$(printf '%s\n' "$version" "2.0.3" | sort -V | head -n1)" == "$version" ]] && [[ "$version" != "2.0.4" ]] && [[ "$version" != "2.0.5" ]] && [[ "$version" != "2.0.6" ]]; then
  # If version <= 2.0.3
  if [[ "$version" == "$(printf '%s\n' "$version" "2.0.3" | sort -V | head -n1)" ]]; then
    echo "VULNERABLE - Boost version $version is <= 2.0.3"
    exit 1
  fi
fi

# Simpler direct check after normalization
if [[ "$version" == "$(printf '%s\n' "$version" "2.0.3" | sort -V | head -n1)" && "$version" != "2.0.3" ]] || [[ "$version" == "2.0.3" ]] || [[ "$version" == "2.0.2" ]] || [[ "$version" == "2.0.1" ]] || [[ "$version" == "2.0.0" ]]; then
  echo "VULNERABLE - Boost version $version is <= 2.0.3"
  exit 1
fi

if [[ "$version" == "$(printf '%s\n' "2.0.4" "$version" | sort -V | head -n1)" ]]; then
  echo "PATCHED - Boost version $version is >= 2.0.4"
  exit 0
fi

echo "UNKNOWN - parsed version '$version' but comparison was inconclusive"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, treat this as a targeted HIGH, not a universal CRITICAL: pull an inventory of all public WordPress sites running Boost <= 2.0.3, prioritize the plugin-dense and revenue-facing ones first, and either upgrade or put temporary cookie-filtering / exposure-reduction controls in front of them. Under the noisgate mitigation SLA, you have ≤30 days to get compensating controls in place where patching cannot happen immediately; under the noisgate remediation SLA, complete the actual upgrade to 2.0.4+ within ≤180 days. If a site carries lots of third-party plugins/themes or sits on shared hosting, move it to the front of that queue because that is where the missing POP-chain assumption is most likely to fail in the attacker's favor.

Sources

  1. NVD CVE-2026-7637
  2. Wordfence specific advisory
  3. Patchstack advisory
  4. CISA Known Exploited Vulnerabilities Catalog
  5. FIRST EPSS overview
  6. FIRST EPSS API documentation
  7. PixelYourSite Boost plugin page
  8. SentinelOne CVE summary
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.