CVE-2026-2020
📋 TL;DR
The JS Archive List WordPress plugin is vulnerable to PHP object injection through the 'included' shortcode attribute. Authenticated attackers with Contributor-level access or higher can exploit this to inject malicious PHP objects. If a POP chain exists via other plugins or themes, this could lead to arbitrary file deletion, data theft, or remote code execution.
💻 Affected Systems
- JS Archive List WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if a POP chain exists via other installed plugins/themes
Likely Case
PHP object injection with limited impact due to no known POP chain in the vulnerable plugin itself
If Mitigated
No impact if proper access controls prevent Contributor-level users from posting content with shortcodes
🎯 Exploit Status
Exploitation requires authenticated access and depends on the presence of a POP chain in other installed components. No known POP chain exists in the vulnerable plugin itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.1.7
Vendor Advisory: https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'JS Archive List' plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete the plugin.
🔧 Temporary Workarounds
Remove Contributor Shortcode Permissions
allPrevent Contributor-level users from using shortcodes in posts/pages
Disable Plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate jquery-archive-list-widget
🧯 If You Can't Patch
- Restrict Contributor-level user permissions to prevent shortcode usage
- Implement web application firewall rules to block requests containing suspicious 'included' parameter values
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'JS Archive List' version 6.1.7 or earlierCheck Version:
wp plugin get jquery-archive-list-widget --field=versionVerify Fix Applied:
Verify plugin version is higher than 6.1.7 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests containing 'included' parameter with serialized data
- WordPress user with Contributor role creating/modifying posts with shortcodes
Network Indicators:
- HTTP requests to WordPress with 'included' parameter containing serialized PHP objects
SIEM Query:
source="wordpress.log" AND ("included=" OR "[js_archive_list")🔗 References
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-jq-archive-list-widget.php#L674
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-js-archive-list-settings.php#L10
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-jq-archive-list-widget.php#L674
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-js-archive-list-settings.php#L10
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3466978%40jquery-archive-list-widget&new=3466978%40jquery-archive-list-widget&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c92-f24dbe2c2dbd?source=cve
