PHP Object Injection Vulnerability in CiyaShop WooCommerce Theme
CVE-2024-13824

9.8CRITICAL

Key Information:

Vendor: Potenzaglobalsolutions
Status: Ciyashop - Multipurpose WooCommerce Theme
Vendor: CVE Published:; 14 March 2025

Summary

The CiyaShop - Multipurpose WooCommerce Theme for WordPress is susceptible to PHP Object Injection due to improper deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This vulnerability allows unauthenticated attackers to potentially inject a PHP Object. Although there is no known PHP Object Propagation (POP) chain present in this theme, the presence of another plugin or theme containing a POP chain could enable attackers to execute various malicious actions, including file deletions, data retrieval, or remote code execution, depending on the vulnerabilities of those additional components.

Affected Version(s)

CiyaShop - Multipurpose WooCommerce Theme * <= 4.19.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/ciyashop-responsive-multipur...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Feb 3, 2025

Credit

Lucio Sá