WordPress YITH WooCommerce Product Add-Ons Plugin <= 4.3.0 is vulnerable to PHP Object Injection
CVE-2023-49777

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: YITH WooCommerce Product Add-Ons
Vendor: CVE Published:; 31 December 2023

Summary

A vulnerability has been identified in the YITH WooCommerce Product Add-Ons plugin that allows for deserialization of untrusted data. This weakness can be exploited through external scripts leading to PHP object injection, potentially allowing unauthorized access and manipulation of user data. The affected versions are from not available through 4.3.0, making it crucial for users to update and secure their installations.

Affected Version(s)

YITH WooCommerce Product Add-Ons <= 4.3.0

References

https://patchstack.com/database/vulnerability/yith-woocom...

vdb-entry

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 31, 2023
Vulnerability Reserved
Nov 30, 2023

Credit

Rafie Muhammad (Patchstack)