PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7637 PixelYourSite CVE debrief

The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. Administrators of WordPress sites using the Boost plugin version 2.0.3 or earlier should be aware of this vulnerability and take steps to mitigate it, especially if other plugins or themes with a POP chain are installed.

Vendor
PixelYourSite
Product
Boost
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Administrators of WordPress sites using the Boost plugin version 2.0.3 or earlier should be aware of this vulnerability and take steps to mitigate it, especially if other plugins or themes with a POP chain are installed. This vulnerability has a CVSS score of 9.8 and a severity of CRITICAL, making it a high priority for remediation.

Technical summary

The vulnerability exists in the Boost plugin for WordPress, specifically in versions up to and including 2.0.3. It is caused by the deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie, allowing unauthenticated attackers to inject a PHP Object. However, the vulnerability does not have an impact unless another plugin or theme with a POP chain is installed on the site. The vulnerability has a CVSS score of 9.8 and a severity of CRITICAL.

Defensive priority

High

Recommended defensive actions

  • Update the Boost plugin to a version that is not vulnerable
  • Review and update other plugins and themes for potential POP chains
  • Implement additional security measures to monitor and restrict PHP object injection attempts
  • Consider using a Web Application Firewall (WAF) to detect and prevent attacks
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-05-20T04:16:56.747Z and was last modified on 2026-05-20T13:54:54.890Z. The NVD entry is currently Deferred. The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. Evidence is limited to CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-20T04:16:56.747Z and has not been modified since then. The NVD entry is currently Deferred.