WordPress Plugin Vulnerabilities

WooCommerce <= 3.4.5 - Authenticated Phar Deserialization

Description

The WooCommerce WordPress plugin was affected by an Authenticated Phar Deserialization security vulnerability.

Affects Plugins

Plugin icon
woocommerce
Fixed in 3.4.6

References

URL
https://www.ripstech.com/php-security-calendar-2018/#day-3

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Original Researcher
Ripstech
Submitter
Chris
Submitter website
https://firefart.at/
Submitter twitter
_FireFart_
Verified
No
WPVDB ID
9567f575-529d-4d66-980c-73cba6726673

Timeline

Publicly Published
2018-12-10 (about 7 years ago)
Added
2018-12-10 (about 7 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2022-06-28
Title
Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution
Published
2025-09-10
Title
Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection
Published
2026-02-24
Title
W3 Total Cache <= 2.9.1 - Unauthenticated Arbitrary Code Execution
Published
2024-05-07
Title
WP Latest Posts < 5.0.8 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2024-01-03
Title
LearnPress < 4.2.5.8 - Unauthenticated Command Injection