cleantalk
Vulnerabilities and Security Researches

JS Archive List Widget, CVE-2026-2020

CVE, Research URL

CVE-2026-2020

Home page URL

Security reports for JS Archive List Widget

Application

JS Archive List Widget

Published on
Mar 07, 2026
Research Description
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions
max 6.2.0.
Status
vulnerable
Previous vulnerability researches
PDF Invoices & Packing Slips for WooCommerce (CVE-2022-2537) , Jun 06, 2024
PDF Invoices & Packing Slips for WooCommerce (CVE-2024-3047) , Jun 06, 2024
PDF Invoices & Packing Slips for WooCommerce (CVE-2026-1906) , Apr 15, 2026
PDF Invoices & Packing Slips for WooCommerce (CVE-2024-50421) , Oct 27, 2024
PDF Invoices & Packing Slips for WooCommerce (CVE-2025-67589) , Jan 09, 2026
New vulnerability
WP Google Ad Manager Plugin (CVE-2026-1399) , Apr 15, 2026
WP Social Meta (CVE-2026-2498) , Apr 15, 2026
Allow HTML in Category Descriptions (CVE-2026-0693) , Apr 15, 2026
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display G (CVE-2026-1916) , Apr 15, 2026
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2026-1994) , Apr 15, 2026