WooCommerce <= 3.4.5 - Authenticated Object Injection



Description
According to WooCommerce:

"Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them. Thanks to Simon Scannell, Karim, and Slavco for reporting the issues."

See references for PoC and further technical details.

Affects Plugin

fixed in version 3.4.6

References

URL https://medium.com/websec/woocommerce-and-azis-with-scotch-bc9d561377e1
URL https://github.com/woocommerce/woocommerce/commit/4738162c25bb244631574d4230533b470f0ee8df#diff-dc3a1c9d68e161cfe6566b05971ec631
URL https://woocommerce.wordpress.com/2018/10/11/woocommerce-3-4-6-security-fix-release-notes/

Classification

Type OBJECTINJECTION

Miscellaneous

Original Researcher Slavco
Submitter Slavco
Submitter Website https://medium.com/websec
Submitter Twitter mslavco
Views 4252
Verified No
WPVDB ID 9137

Timeline

Publicly Published 2018-10-11 (about 1 month ago)
Added 2018-10-19 (about 1 month ago)
Last Updated 2018-10-19 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.