CVE Catalog
CVE-2026-57677
CriticalCVSS 9.8Summary
The Novalnet Payment Gateway for WooCommerce plugin version 12.10.3 and earlier is vulnerable to unauthenticated PHP Object Injection. An attacker can remotely send a crafted request, leading to arbitrary PHP code execution on the server.
Risk Assessment
The risk includes full server compromise, customer data theft, and modification of store content. The attack does not require authentication, making it easier to exploit.
Recommendation
Immediately update the Novalnet Payment Gateway for WooCommerce plugin to version 12.10.4 or later. If an update is not possible, temporarily disable the plugin.
Original NVD description (English source)
Unauthenticated PHP Object Injection in Novalnet Payment Gateway for WooCommerce <= 12.10.3 versions.

