CVE-2026-2020 in JS Archive List Plugin
Summary
by MITRE • 03/07/2026
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The JS Archive List plugin for WordPress presents a critical security vulnerability classified as PHP Object Injection in versions up to and including 6.1.7. This vulnerability specifically manifests through the 'included' shortcode attribute, creating a dangerous pathway for authenticated attackers who possess Contributor-level access or higher. The flaw resides in the plugin's improper handling of user-supplied input during the deserialization process, where untrusted data is directly processed without adequate sanitization or validation measures.
The technical implementation of this vulnerability follows a well-established pattern of insecure deserialization that aligns with CWE-502, which catalogs weaknesses related to deserializing untrusted data. When an attacker crafts malicious input through the 'included' parameter, the plugin's shortcode processing routine attempts to deserialize this data, effectively allowing the attacker to inject arbitrary PHP objects into the application's memory space. This injection occurs because the plugin fails to implement proper input validation or sanitization before processing the user-provided data, creating a direct attack vector that bypasses normal security controls.
The operational impact of this vulnerability extends beyond simple data manipulation, as it provides authenticated attackers with significant capabilities within the WordPress environment. While the vulnerability itself does not contain a pre-built chain of method calls that would enable immediate code execution, it creates a foundation for more sophisticated attacks when combined with other vulnerable components within the same system. The absence of a known POP (Points of No Return) chain within the vulnerable plugin does not diminish its threat level, as attackers can potentially leverage this injection to exploit other components that may contain such chains through additional plugins or themes installed on the target system.
Attackers with Contributor-level access or higher can exploit this vulnerability to perform arbitrary file operations, including deletion of critical files, extraction of sensitive data, and potentially full system compromise if additional attack vectors exist within the WordPress installation. The vulnerability's exploitation requires minimal privileges and provides a substantial attack surface, making it particularly dangerous in environments where multiple plugins or themes are installed. The risk is amplified by the fact that many WordPress installations include additional components that may contain POP chains or other exploitation vectors, creating a cascading effect that could result in complete system compromise.
Security mitigations for this vulnerability must address both the immediate plugin issue and the broader security posture of the WordPress installation. The primary recommendation involves updating to the latest version of the JS Archive List plugin where the vulnerability has been patched, ensuring that all user input is properly sanitized and validated before processing. Additionally, implementing proper input validation measures, including the use of allowlists for shortcode parameters, can prevent malicious data from reaching the deserialization stage. Network segmentation and privilege separation should also be considered, as limiting the access rights of low-privilege users can reduce the potential impact of such vulnerabilities. Organizations should also conduct comprehensive security assessments to identify other potential POP chains or vulnerable components that could be exploited in conjunction with this vulnerability, following ATT&CK framework principles for identifying and mitigating attack paths that leverage insecure deserialization techniques.