WordPress Plugin Vulnerabilities

Custom Product Tabs for WooCommerce <= 1.8.5 - Shop Manager+ PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
yikes-inc-easy-custom-woocommerce-product-tabs
No known fix

References

CVE
CVE-2024-11465
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ad0d6eb-aafa-4f0b-bf1c-73d94e361087

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
77c4f10c-204c-4568-91b6-8e1d98aaf4b6

Timeline

Publicly Published
2025-01-06 (about 1 year ago)
Added
2025-01-13 (about 1 year ago)
Last Updated
2025-01-13 (about 1 year ago)

Other

Published
Title
Published
2017-03-01
Title
Analytics Stats Counter Statistics - Unauthenticated PHP Object Injection
Published
2024-08-28
Title
Theme Editor < 2.9 - Authenticated (Admin+) PHAR Deserialization
Published
2026-03-20
Title
Vex < 1.2.9 - Authenticated (Subscriber+) PHP Object Injection
Published
2026-02-18
Title
Valenti <= 5.6.3.5 - Authenticated (Contributor+) PHP Object Injection
Published
2024-04-26
Title
GiveWP – Donation Plugin and Fundraising Platform < 3.5.0 - Authenticated (GiveWP Manager+) PHP Object Injection