PatchSiren cyber security CVE debrief
CVE-2026-7637 PixelYourSite CVE debrief
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. Administrators of WordPress sites using the Boost plugin version 2.0.3 or earlier should be aware of this vulnerability and take steps to mitigate it, especially if other plugins or themes with a POP chain are installed.
- Vendor
- PixelYourSite
- Product
- Boost
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Administrators of WordPress sites using the Boost plugin version 2.0.3 or earlier should be aware of this vulnerability and take steps to mitigate it, especially if other plugins or themes with a POP chain are installed. This vulnerability has a CVSS score of 9.8 and a severity of CRITICAL, making it a high priority for remediation.
Technical summary
The vulnerability exists in the Boost plugin for WordPress, specifically in versions up to and including 2.0.3. It is caused by the deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie, allowing unauthenticated attackers to inject a PHP Object. However, the vulnerability does not have an impact unless another plugin or theme with a POP chain is installed on the site. The vulnerability has a CVSS score of 9.8 and a severity of CRITICAL.
Defensive priority
High
Recommended defensive actions
- Update the Boost plugin to a version that is not vulnerable
- Review and update other plugins and themes for potential POP chains
- Implement additional security measures to monitor and restrict PHP object injection attempts
- Consider using a Web Application Firewall (WAF) to detect and prevent attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-05-20T04:16:56.747Z and was last modified on 2026-05-20T13:54:54.890Z. The NVD entry is currently Deferred. The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. Evidence is limited to CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-20T04:16:56.747Z and has not been modified since then. The NVD entry is currently Deferred.