WooCommerce <= 3.2.3 - Authenticated PHP Object Injection



Description
"Versions 3.2.3 and earlier are affected by an issue where cached queries within shortcodes could lead to object injection. This is related to the recent WordPress 4.8.3 security release.

This issue can only be exploited by users who can edit content and add shortcodes, but we still recommend all users running WooCommerce 3.x upgrade to 3.2 to mitigate this issue."

Affects Plugin

fixed in version 3.2.4

References

CVE 2017-18356
URL https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/
URL https://blog.ripstech.com/2018/woocommerce-php-object-injection/

Classification

Type OBJECTINJECTION

Miscellaneous

Original Researcher RIPS Technologies
Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 6136
Verified No
WPVDB ID 9028

Timeline

Publicly Published 2017-11-16 (over 1 year ago)
Added 2018-02-23 (over 1 year ago)
Last Updated 2019-01-15 (6 months ago)