CartFlows: Untrusted Data Can Allow Unwanted Actions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

CartFlows: Untrusted Data Can Allow Unwanted Actions

CVE-2026-25316

Summary

The CartFlows plugin for WordPress doesn't properly validate user input, which means an attacker could potentially inject malicious code. This could lead to unauthorized actions or data modifications. Update CartFlows to version 2.2.0 or later to fix this issue.

Original title

Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.

Original description

Deserialization of Untrusted Data vulnerability in Brainstorm Force CartFlows cartflows allows Object Injection.This issue affects CartFlows: from n/a through <= 2.1.19.

nvd CVSS3.1 7.2

Vulnerability type

CWE-502 Deserialization of Untrusted Data

https://patchstack.com/database/Wordpress/Plugin/cartflows/vulnerability/wordpre...

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026