PHP Object Injection Vulnerability in Compare Products for WooCommerce Plugin
CVE-2024-12313

8.1HIGH

Key Information:

Vendor
Wordpress
Status
Compare Products For WooCommerce
Vendor
CVE Published:
7 January 2025

Summary

The Compare Products for WooCommerce plugin for WordPress is susceptible to PHP Object Injection due to unsafe deserialization of untrusted input from the 'woo_compare_list' cookie across all versions up to and including 3.2.1. This vulnerability enables unauthenticated attackers to inject arbitrary PHP objects. While the vulnerable software lacks a known Point of Possibility (POP) chain, the risk escalates if additional plugins or themes are installed on the target system, potentially allowing attackers to execute arbitrary code, delete files, or access sensitive data.

Affected Version(s)

Compare Products for WooCommerce * <= 3.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woocommerce-co...
https://plugins.trac.wordpress.org/browser/woocommerce-co...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Brian Sans-Souci
.