BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.21 – Authenticated (Subscriber+) PHP Object Injection in get_simple_request | CVE 2024-2025 | Plugin Vulnerabilities

Description

The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Fixed in 3.4.21

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/78da9e79-399e-43e3-ac27-a162861cae71

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

4c4df5fe-fbb7-4fe3-b49a-efb35ca80e2d

Timeline

Publicly Published

2024-03-22 (about 2 years ago)

Added

2024-03-22 (about 2 years ago)

Last Updated

2024-03-22 (about 2 years ago)

Other

Published

Title

Published

2025-07-08

Title

Hillter <= 3.0.7 - Authenticated (Subscriber+) PHP Object Injection

Published

2022-12-09

Title

Custom Field Template < 2.5.8 - Admin+ PHP Object Injection

Published

2024-01-31

Title

Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently < 4.1.2 - Authenticated (Contributor+) PHP Object Injection in mep_event_meta_save

Published

2026-04-13

Title

Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts < 3.0.13 - Authenticated (Administrator+) PHP Object Injection

Published

2026-04-20

Title

Behold < 1.6 - Unauthenticated PHP Object Injection