WooCommerce Social Login Plugin Vulnerable to PHP Object Injection
CVE-2024-5871

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: WooCommerce - Social Login
Vendor: CVE Published:; 15 June 2024

Summary

The WooCommerce - Social Login plugin for WordPress is susceptible to PHP Object Injection through the deserialization of untrusted input from the 'woo_slg_verify' parameter. This vulnerability affects all versions up to and including 2.6.2. Unauthenticated attackers can exploit this flaw to inject PHP objects, posing significant risks if any existing plugins or themes on the target system allow the establishment of a PHP Object Proximity (POP) chain. Such an exploit could enable attackers to delete arbitrary files, access sensitive information, or execute malicious code, highlighting the need for immediate remedial action by users of affected versions.

Affected Version(s)

WooCommerce - Social Login * <= 2.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/social-login-wordpress-woocom...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 15, 2024
Vulnerability Reserved
Jun 11, 2024

Credit

István Márton