Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
JS Archive List for WordPress: Untrusted Input Can Cause Harm
CVE-2026-2020
Summary
The JS Archive List plugin for WordPress has a security flaw that can allow an attacker with contributor-level access to inject malicious code. This could potentially lead to the deletion of files, access to sensitive data, or execution of code. To fix this, update the plugin to the latest version, 6.1.8 or higher.
Original title
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization...
Original description
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
nvd CVSS3.1
7.5
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7...
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7...
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/clas...
- https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/clas...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c9...
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026