PHP Object Injection Vulnerability in Compare Products for WooCommerce Plugin
CVE-2024-12313

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Compare Products For WooCommerce
Vendor: CVE Published:; 7 January 2025

What is CVE-2024-12313?

The Compare Products for WooCommerce plugin for WordPress is susceptible to PHP Object Injection due to unsafe deserialization of untrusted input from the 'woo_compare_list' cookie across all versions up to and including 3.2.1. This vulnerability enables unauthenticated attackers to inject arbitrary PHP objects. While the vulnerable software lacks a known Point of Possibility (POP) chain, the risk escalates if additional plugins or themes are installed on the target system, potentially allowing attackers to execute arbitrary code, delete files, or access sensitive data.

Affected Version(s)

Compare Products for WooCommerce * <= 3.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-co...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Dec 6, 2024

Credit

Brian Sans-Souci

Wordpress

What is CVE-2024-12313?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit