Unauthenticated Attackers Can Inject PHP Objects and Lead to Remote Code Execution via WooCommerce Plugin
CVE-2024-10828

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Advanced Order Export For WooCommerce
Vendor
CVE Published:
13 November 2024

Summary

The Advanced Order Export For WooCommerce plugin for WordPress possesses a PHP Object Injection vulnerability that affects all versions up to 3.5.5. This vulnerability arises from the deserialization of untrusted input during the order export process when the 'Try to convert serialized values' option is enabled. An unauthenticated attacker can exploit this flaw to inject a PHP object. If a potentially harmful PHP object is successfully instantiated, it can create a Precedence of Property (POP) chain, ultimately allowing the attacker to delete arbitrary files on the server. Such actions can lead to severe consequences, including the potential for remote code execution, especially if critical files like wp-config.php are compromised.

Affected Version(s)

Advanced Order Export For WooCommerce * <= 3.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woo-order-expo...
https://plugins.trac.wordpress.org/browser/woo-order-expo...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Craig Smith
.