A critical (CVSS 9.8) deserialization flaw in the Boost plugin for WordPress (versions ≤ 2.0.3) lets unauthenticated attackers inject PHP objects via the STYXKEY-BOOST_USER_LOCATION cookie, opening the door to remote code execution or file tampering when a POP chain exists elsewhere on the site.
What Is It
CVE-2026-7637 is a PHP Object Injection vulnerability (CWE-502) in the Boost plugin for WordPress, published 2026-05-20 by Wordfence. The plugin deserializes untrusted input read from the STYXKEY-BOOST_USER_LOCATION cookie. Because the cookie is attacker-controlled and no authentication is required, any remote unauthenticated user can deliver a crafted serialized PHP object to the deserialization sink.
The bug itself does not ship with a usable POP (Property-Oriented Programming) chain inside Boost. Exploitation requires a POP chain provided by another plugin or theme installed on the target WordPress site; a common situation given the breadth of the WordPress plugin ecosystem.
Why It Matters
CVSS v3.1 base score is 9.8 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no privileges, no user interaction, and high impact across confidentiality, integrity, and availability.
When chained with a POP gadget from another installed component, an attacker can: - Delete arbitrary files - Retrieve sensitive data - Execute arbitrary code
In practice, WordPress sites typically run multiple plugins and themes, so the "no impact in isolation" caveat offers limited real-world protection. Object injection bugs of this class have historically been weaponized quickly once disclosed.
What's Vulnerable
- Product: Boost plugin for WordPress (PixelYourSite)
- Affected versions: Up to and including 2.0.3
- Attack vector: Unauthenticated HTTP request carrying a malicious
STYXKEY-BOOST_USER_LOCATIONcookie value - Weakness: CWE-502; Deserialization of Untrusted Data
The CVE is not currently listed in CISA's Known Exploited Vulnerabilities catalog; no confirmed in-the-wild exploitation has been reported in the supplied sources.
Patch Status
The supplied sources do not specify a fixed version. Administrators running Boost ≤ 2.0.3 should monitor the vendor page and Wordfence advisory for an updated release, and in the interim consider disabling the plugin or restricting requests carrying the affected cookie. Auditing installed plugins and themes for known POP-chain components reduces blast radius.