An attacker with only a basic WordPress account — the kind created during routine customer checkout — could exploit this flaw to take over the underlying web server if any other installed plugin or theme provides an exploitable code path. For WooCommerce stores, a full server compromise means potential theft of order data, customer records, and payment-adjacent information, alongside the risk of website defacement or ransomware deployment. Regulatory exposure under PCI-DSS is a consideration for merchants processing card payments through the affected WordPress instance, and customer trust damage from a visible compromise can directly reduce conversion rates and revenue.
You Are Affected If
You run WooCommerce Infinite Scroll and Ajax Pagination plugin version 1.8 or below on a WordPress installation
Your WordPress site allows user account registration at Subscriber level or above (common on WooCommerce storefronts)
Your WordPress installation has other plugins or themes installed that contain known or unknown PHP POP chains
The WordPress admin interface or storefront is internet-facing without a WAF or IPS inspecting POST request bodies
You have not yet updated the plugin beyond version 1.8 or disabled it pending a patch
Board Talking Points
A low-privilege website account is sufficient to attempt a full server takeover on WooCommerce stores running an unpatched pagination plugin.
The technology team should update or disable the affected plugin within 72 hours and audit co-installed plugins for compounding risk.
Failure to act leaves customer order data and the e-commerce platform itself exposed to theft, defacement, or ransomware.
PCI-DSS — WooCommerce storefronts process or route payment card transactions; server compromise via this vulnerability could expose cardholder data or the payment environment to unauthorized access
