WooCommerce <= 3.4.4 – Potential Object Injection | Plugin Vulnerabilities

Description

According to WooCommerce:

"Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release.

This issue can only be exploited by users who can edit attributes and should not be possible to exploit through the WordPress administrative screens, but we still recommend all users running WooCommerce 3.x upgrade to 3.4.5 to mitigate this issue. Thanks to slavco for responsibly disclosing the vulnerability to us."

Affects Plugins

Fixed in 3.4.5

References

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

Miscellaneous

Submitter

Ryan Dewhurst

Submitter twitter

Verified

No

WPVDB ID

13a534b4-97bd-48e1-b936-cc57c9c56396

Timeline

Publicly Published

2018-08-29 (about 7 years ago)

Added

2018-08-30 (about 7 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2025-08-25

Title

Employee Directory – Staff Listing & Team Directory Plugin for WordPress <= 4.5.3 - Unauthenticated PHP Object Injection

Published

2025-03-04

Title

WooCommerce Recover Abandoned Cart <= 24.3.0 - Unauthenticated PHP Object Injection

Published

2025-04-09

Title

Accordion < 2.3.12 - Contributor+ PHP Object Injection

Published

2025-08-26

Title

Cars4Rent <= 1.4.2 - Unauthenticated PHP Object Injection

Published

2024-08-12

Title

Indeed Membership Pro < 12.8 - Unauthenticated PHP Object Injection