CVE-2025-11993 is a PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin affecting all versions up to and including 1.8. Authenticated attackers at Subscriber level can inject arbitrary PHP objects via the import_settings function; if any co-installed plugin or theme supplies a POP chain, the attack escalates to RCE, file deletion, or data theft. WooCommerce e-commerce sites are the primary exposure surface.