PatchSiren cyber security CVE debrief
CVE-2026-39499 Wombat Plugins CVE debrief
CVE-2026-39499 is a HIGH-severity vulnerability in Advanced Product Fields (Product Addons) for WooCommerce, with a CVSS score of 7.2. The vulnerability allows for PHP Object Injection and affects versions up to 1.6.19. The CVE was published on 2026-06-15T21:16:45.230Z and last modified on 2026-06-15T21:24:32.790Z.
- Vendor
- Wombat Plugins
- Product
- Advanced Product Fields (Product Addons) for WooCommerce
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Advanced Product Fields (Product Addons) for WooCommerce, particularly those with shop manager roles, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a PHP Object Injection issue in the Advanced Product Fields (Product Addons) for WooCommerce plugin. This could allow an attacker to inject malicious PHP objects, potentially leading to code execution.
Defensive priority
HIGH
Recommended defensive actions
- Update to a patched version of Advanced Product Fields (Product Addons) for WooCommerce if possible.
- Review and restrict access to sensitive areas of the WooCommerce platform.
- Monitor for suspicious activity related to PHP object injection.
Evidence notes
Evidence suggests that this vulnerability was discovered and reported through Patchstack.
Official resources
-
CVE-2026-39499 CVE record
CVE.org
-
CVE-2026-39499 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39499 was published on 2026-06-15T21:16:45.230Z and last modified on 2026-06-15T21:24:32.790Z.