PHP Object Injection Vulnerability in Custom Product Tabs Lite for WooCommerce by WordPress
CVE-2024-12600

7.2HIGH

Key Information:

Vendor: WordPress
Status: Custom Product Tabs Lite For WooCommerce
Vendor: CVE Published:; 25 January 2025

Summary

The Custom Product Tabs Lite for WooCommerce plugin allows an authenticated user with Shop Manager-level access and above to exploit a vulnerability through the deserialization of untrusted input in the 'frs_woo_product_tabs' parameter. This can lead to the injection of a PHP Object. Although the current software lacks a known Proof of Concept (POP) chain, if other plugins or themes on the system introduce a POP chain, it may enable attackers to delete files, access sensitive information, or execute arbitrary code.

Affected Version(s)

Custom Product Tabs Lite for WooCommerce * <= 1.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-cu...

https://plugins.trac.wordpress.org/changeset/3226839/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 25, 2025
Vulnerability Reserved
Dec 12, 2024

Credit

Francesco Carlucci