JS Archive List Vulnerability (High) – CVE-2026-2020

JS Archive List Vulnerability (High) – CVE-2026-2020

by | Mar 6, 2026 | Plugins

Attack Vectors

High severity (CVSS 7.5) vulnerability CVE-2026-2020 affects the JS Archive List WordPress plugin (slug: jquery-archive-list-widget) in versions 6.1.7 and below. The issue can be exploited by an authenticated user with Contributor-level access or higher.

The attack path involves submitting a shortcode that uses the plugin’s ‘included’ attribute. Because the plugin processes this value in an unsafe way (deserializing untrusted input), an attacker with the right role can attempt to inject a PHP object through normal WordPress content workflows.

Security Weakness

The root weakness is deserialization of untrusted input supplied via the shortcode’s ‘included’ parameter in JS Archive List. In plain business terms: the plugin accepts a structured value from a logged-in user and processes it as if it were trusted, which can open the door to unintended actions.

According to the published vulnerability information, no known “POP chain” exists in the vulnerable software itself. However, risk can increase if another plugin or theme on the same WordPress site provides the missing pieces that enable more damaging outcomes.

Technical or Business Impacts

For executives and compliance teams, this is primarily a site integrity and business disruption risk. Because this is rated High with the potential for high impact to confidentiality, integrity, and availability, it can translate into unauthorized changes, loss of content, operational downtime, and brand damage—especially if combined with other components on the site.

This issue is also a governance risk: many organizations grant Contributor access broadly (agencies, interns, contractors, regional marketers). If accounts are compromised through phishing or password reuse, attackers may gain exactly the access level required to attempt exploitation.

Remediation: Update JS Archive List to version 6.2.0 or newer patched version. Reference: Wordfence vulnerability record.

Similar Attacks

Object injection and unsafe deserialization issues have appeared in major WordPress plugins before, often becoming more severe when paired with other installed components. Examples include:

Elementor Pro (Wordfence write-up) — an example of a WordPress plugin security issue that drew broad attention and required rapid patching.

Easy WP SMTP (Wordfence write-up) — illustrates how plugin flaws can be leveraged to compromise site operations and trust.

Vantage Vulnerability (Medium) – CVE-2026-5070

by

Attack Vectors CVE-2026-5070 is a Medium severity vulnerability (CVSS 6.4) affecting the Vantage WordPress theme (slug: vantage) in versions up to and including 1.20.32. It enables authenticated users with Contributor access or higher to inject malicious script into a...

WP Docs Vulnerability (Medium) – CVE-2026-3878

by

Attack Vectors CVE-2026-3878 is a Medium severity Stored Cross-Site Scripting (XSS) vulnerability (CVSS 6.4) affecting the WP Docs WordPress plugin (wp-docs) in versions 2.2.9 and below. The issue is exploitable by an authenticated user with Subscriber-level access or...

Recent Comments

    WPFore Subscribers