WordPress Plugin Vulnerabilities

YITH WooCommerce Product Add-Ons < 4.3.1 - Authenticated(Shop Manager+) PHP Object Injection

Description

The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 4.3.1 (exclusive) via deserialization of untrusted input in the 'save_addon' function. This makes it possible for authenticated attackers, with Shop Manager access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
yith-woocommerce-product-add-ons
Fixed in 4.3.1

References

CVE
CVE-2023-49777
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7edd06d9-3897-4644-a77e-e58ab6d14c95

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
42768db9-982e-4b6f-90b0-d82c6502e91a

Timeline

Publicly Published
2023-12-28 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2016-11-15
Title
Google Analytics Counter Tracker < 3.5.0 - Unauthenticated PHP Object Injection
Published
2025-05-29
Title
WP Posts Carousel < 1.3.13 - Authenticated (Contributor+) PHP Object Injection
Published
2026-03-05
Title
Bus Ticket Booking with Seat Reservation <= 5.6.2 - Unauthenticated PHP Object Injection
Published
2026-03-04
Title
Jardi | Winery, Vineyard & Wine Shop WordPress Theme <= 1.7.2 - Unauthenticated PHP Object Injection
Published
2023-08-08
Title
Weaver Show Posts < 1.8.1 - Admin+ PHP Object Injection