Attack Vectors

CVE-2026-22384 affects the Applay – Shortcodes WordPress plugin (slug: applay-shortcodes) in versions up to and including 3.7. It is rated High severity with a CVSS 7.5 score (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

The most likely entry point is an authenticated user account with Contributor-level access or higher. In practical terms, that can include a compromised contributor account, an overly broad role assignment to a third party, or a malicious insider. Because the attack is performed over the network and does not require user interaction, any environment that allows contributors to submit or manage content should treat this as a meaningful exposure.

While exploitation depends on conditions in the wider WordPress environment (see “Security Weakness” below), the risk increases on sites with many plugins/themes installed, frequent content publishing, multiple agencies, or many user accounts.

Security Weakness

The issue is a PHP Object Injection vulnerability caused by deserialization of untrusted input. Deserialization bugs can allow an attacker to inject a crafted PHP object into the application’s execution flow.

According to the published advisory, there is no known POP chain (a gadget chain required to turn injected objects into direct actions) in the vulnerable software itself. However, if a POP chain exists elsewhere on the site—through an additional plugin or theme—this weakness can become far more dangerous.

No known patch is currently available. That changes the risk conversation from “patch quickly” to “reduce exposure and consider replacement,” especially for business-critical sites and regulated environments.

Technical or Business Impacts

If a usable POP chain is present in your WordPress stack, exploitation could enable severe outcomes, including arbitrary file deletion, sensitive data retrieval, or even code execution. These technical outcomes map directly to business risks: site outage, defacement, loss of customer trust, lead-gen disruption, incident response costs, and potential compliance exposure depending on what data is accessible.

Even when direct code execution is not achievable, the presence of a high-severity deserialization flaw can materially increase risk by creating a pathway for attackers to chain multiple weaknesses together—especially in plugin-heavy environments.

Recommended mitigation (given no known patch): assess whether Applay – Shortcodes is necessary in production and consider uninstalling and replacing it based on your organization’s risk tolerance. In parallel, reduce the blast radius by limiting Contributor accounts, reviewing role assignments, removing unused plugins/themes (which can introduce gadget chains), and increasing monitoring around admin changes, file integrity, and unusual publishing activity.

Reference: CVE-2026-22384 (and the vendor-reported details from Wordfence).

Similar attacks: PHP object injection and unsafe deserialization have been used to compromise CMS deployments when a gadget chain is available. A well-known WordPress example is CVE-2019-15888 (ThemeGrill Demo Importer), which attackers leveraged to escalate impact due to unsafe unserialization patterns.