CVE-2026-49777
📛 CVE Title
WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability
Description
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3. No patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- Patchstack
- CVSS severity
- CRITICAL
- CVSS score
- 10.0 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Effective score
- 10.0 / 10 CRITICAL source: CNA overview
- CWE(s)
-
CWE-1284 - Reserved
- 2026-06-01
- Published
- 2026-06-05 08:59 UTC
- Last updated
- 2026-06-05 08:59 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/49xxx/CVE-2026-49777.json
- Linked Threat
- CVE-2026-49777 — WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2026-06-05 09:16:26 UTC
- NVD last modified
- 2026-06-05 09:16:26 UTC
- NVD CVSS v3.1
- 10.0 / 10 CRITICAL source: audit@patchstack.com
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H- Exploitability subscore
- 3.9 / 10
- Impact subscore
- 6.0 / 10
NVD / KEV / EPSS data refreshed 2026-06-05 10:56 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| ShapedPlugin, LLC | Product Slider Pro for WooCommerce |
n/a (affected)
|
— |
Remediations (15)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:www.malwarebytes.com
This Chrome update fixes critical flaws attackers could exploit through malicious websites, but not the "Browser Fetch" vulnerability.
2026-06-05 12:55 UTC -
web:thecyberexpress.com
Notepad++ patches CVE - 2026 -48778, CVE - 2026 -48770, and CVE - 2026 -48800 flaws that could enable RCE and command injection attacks.
2026-06-05 12:55 UTC -
web:nvd.nist.gov
Official websites use .gov A .gov website belongs to an official government organization in the United States.
2026-06-05 12:55 UTC -
web:petri.com
If a Group Policy setting is available to roll back a fix , it is included in the Windows Update KB article and release notes as a mitigation for a known issue.
2026-06-05 12:55 UTC -
web:cybersecuritynews.com
Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.
2026-06-05 12:55 UTC -
web:www.frankysweb.de
Microsoft has reported the vulnerability CVE - 2026 -42897 with CVSS 8.1, High severity in all Exchange Server versions. A mitigation is available.
2026-06-05 12:55 UTC -
web:www.oracle.com
This Critical Patch Update contains 481 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at April 2026 Critical Patch Update: Executive Summary and Analysis.
2026-06-05 12:55 UTC -
web:www.rapid7.com
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday, including critical RCE in Netlogon and the Windows DNS client.
2026-06-05 12:55 UTC -
web:www.securityweek.com
Microsoft is working to patch CVE - 2026 -42897, an Exchange Server zero-day vulnerability that has been exploited in attacks.
2026-06-05 12:55 UTC -
web:cybersecuritynews.com
Microsoft Exchange Server spoofing flaw, is being actively exploited against on-premises systems before a permanent patch is available.
2026-06-05 12:55 UTC -
web:zecurit.com
Get the complete breakdown of Microsoft's June 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .
2026-06-05 12:55 UTC -
web:nvd.nist.gov
This is a potential security issue, you are being redirected to https://nvd.nist.gov
2026-06-05 12:55 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-06-05 12:55 UTC -
web:translate.google.com
Google's service, offered free of charge, instantly translates words, phrases, and web pages between English and over 100 other languages.
2026-06-05 12:55 UTC -
web:windowsforum.com
The mitigation name administrators should verify for CVE - 2026 -42897 is M2. Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition are affected at any update level, while Exchange Online is not affected.
2026-06-05 12:55 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
MITRE references (1) cveawg.mitre.org
Pulled from MITRE's CVE Services API by the 🛰 Backfill from MITRE button.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
NVD-tagged references (1)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2026-49777.json.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Slider Pro for WooCommerce",
"vendor": "ShapedPlugin, LLC",
"versions": [
{
"lessThan": "3.5.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Shane | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.<p>This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3.<br><br>No patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version.</p>"
}
],
"value": "Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted.\n\nThis issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.3.\n\nNo patched version is available - the vendor has applied a fix to an existing release without publishing a new version. While the patch provided by the vendor is valid, releasing it under the existing version number leaves users unable to reliably determine whether they are running a patched or vulnerable installation. As a result, we treat this as an unpatched version."
}
],
"impacts": [
{
"capecId": "CAPEC-523",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-523 Malicious Software Implanted"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T08:59:53.320Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/woo-product-slider-pro/vulnerability/wordpress-product-slider-pro-for-woocommerce-plugin-3-5-2-backdoor-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-49777",
"datePublished": "2026-06-05T08:59:53.320Z",
"dateReserved": "2026-06-01T15:29:19.865Z",
"dateUpdated": "2026-06-05T08:59:53.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}