WooCommerce <= 3.4.5 – Authenticated Object Injection | Plugin Vulnerabilities

Description

According to WooCommerce:

"Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them. Thanks to Simon Scannell, Karim, and Slavco for reporting the issues."

See references for PoC and further technical details.

Affects Plugins

Fixed in 3.4.6

References

URL

https://medium.com/websec/woocommerce-and-azis-with-scotch-bc9d561377e1

URL

https://github.com/woocommerce/woocommerce/commit/4738162c25bb244631574d4230533b470f0ee8df#diff-dc3a1c9d68e161cfe6566b05971ec631

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

Miscellaneous

Original Researcher

Slavco

Submitter

Slavco

Submitter website

https://medium.com/websec

Submitter twitter

Verified

No

WPVDB ID

b9af34f0-9012-41a1-870b-89d4e5d2eb27

Timeline

Publicly Published

2018-10-11 (about 7 years ago)

Added

2018-10-19 (about 7 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2026-01-29

Title

KindlyCare <= 1.6.1 - Unauthenticated PHP Object Injection

Published

2026-02-11

Title

Extreme Store <= 1.5.7 - Unauthenticated PHP Object Injection

Published

2025-05-14

Title

WPBot Pro Wordpress Chatbot <= 12.7.0 - Unauthenticated PHP Object Injection

Published

2025-12-31

Title

Newsletters < 4.12 - Unauthenticated PHP Object Injection

Published

2016-11-17

Title

Post Indexer <= 3.0.6.1 - PHP Object Injection via MitM