WordPress Plugin Vulnerabilities

Checkout Field Editor for WooCommerce < 1.8.0 - Admin+ PHP Object Injection

Description

The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

Proof of Concept

To simulate a gadget chain, put the following code in a plugin

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");
  }
}

Then import the following payload via WooCommerce > Checkout Form > Advanced Settings > Backup and Import Settings: Tzo0OiJFdmlsIjowOnt9Ow==

Tzo0OiJFdmlsIjowOnt9Ow== being the base64 encode of serialized object: O:4:"Evil":0:{};

Affects Plugins

Plugin icon
woo-checkout-field-editor-pro
Fixed in 1.8.0

References

CVE
CVE-2022-3490

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Nguyen Duy Quoc Khanh
Submitter
Nguyen Duy Quoc Khanh
Submitter twitter
ndqkhanh
Verified
Yes
WPVDB ID
0c9f22e0-1d46-4957-9ba5-5cca78861136

Timeline

Publicly Published
2022-11-07 (about 1 years ago)
Added
2022-11-07 (about 1 years ago)
Last Updated
2022-11-07 (about 1 years ago)

Other

Published
Title
Published
2017-10-02
Title
RegistrationMagic-Custom Registration Forms <= 3.7.9.2 - Unauthenticated PHP Object Injection
Published
2023-11-15
Title
Welcart e-Commerce < 2.9.6 - Admin+ PHP Object Injection
Published
2018-08-29
Title
WooCommerce <= 3.4.4 - Potential Object Injection
Published
2023-12-28
Title
YITH WooCommerce Product Add-Ons < 4.3.1 - Authenticated(Shop Manager+) PHP Object Injection
Published
2017-10-01
Title
MarketPress <= 3.2.6 - PHP Object Injection