PHP Object Injection Vulnerability in WooCommerce Recover Abandoned Cart Plugin by WordPress
CVE-2025-0956
8.1HIGH
Key Information:
- Vendor
- WordPress
- Vendor
- CVE Published:
- 5 March 2025
Summary
The WooCommerce Recover Abandoned Cart plugin for WordPress is susceptible to PHP Object Injection due to the deserialization of untrusted input from the 'raccookie_guest_email' cookie. This vulnerability allows unauthenticated attackers to potentially inject PHP Objects. While there is currently no known PHP Object Pop chain present in the affected software, its existence on the site through another plugin or theme could enable attackers to execute harmful actions such as file deletion, data retrieval, or remote code execution. Users are advised to review their installed plugins and themes for possible vulnerabilities.
Affected Version(s)
WooCommerce Recover Abandoned Cart * <= 24.3.0
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lucio Sá