PHP Object Injection Vulnerability in WooCommerce Custom Product Tabs Plugin
CVE-2024-12721

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Custom Product Tabs For WooCommerce
Vendor: CVE Published:; 21 December 2024

Summary

The Custom Product Tabs For WooCommerce plugin for WordPress is susceptible to a PHP Object Injection vulnerability due to insecure deserialization of the 'wb_custom_tabs' parameter. This flaw exists in all versions up to and including 1.2.4 and impacts authenticated users with Shop Manager-level access and higher. Attackers could exploit this vulnerability to inject a PHP object, potentially leading to unauthorized file deletion, sensitive data exposure, or arbitrary code execution if a suitable PHP Object Pollution (POP) chain exists through other installed plugins or themes.

Affected Version(s)

Custom Product Tabs For WooCommerce * <= 1.2.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wb-custom-prod...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 21, 2024
Vulnerability Reserved
Dec 17, 2024

Credit

Francesco Carlucci