WordPress Plugin Vulnerabilities

WooCommerce Product Add-ons < 6.2.0 - Shop Manager+ PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection in versions up to, and including, 6.1.3 via deserialization of untrusted input. This allows authenticated attackers, with shop manager permissions and above, to inject a PHP Object. It is unknown if a POP chain is also present in the plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
woocommerce-product-addons
Fixed in 6.2.0

References

CVE
CVE-2023-32795

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
51702816-edb8-48fb-aee0-4e771e70234d

Timeline

Publicly Published
2023-05-15 (about 2 years ago)
Added
2023-11-10 (about 2 years ago)
Last Updated
2023-11-10 (about 2 years ago)

Other

Published
Title
Published
2025-04-17
Title
Rating by BestWebSoft <= 1.7 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-02-14
Title
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider < 3.95.0 - Authenticated (Editor+) PHP Object Injection
Published
2024-03-26
Title
BetterDocs – Best Documentation, FAQ & Knowledge Base Plugin with AI Support & Instant Answer for Elementor & Gutenberg < 3.3.4 - Unauthenticated PHP Object Injection
Published
2024-07-11
Title
Search & Replace < 3.2.3 - Unauthenticated PHP Object Injection
Published
2025-04-21
Title
Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection