CVE-2024-12313
Published: 07 January 2025
Description
The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Security Summary
CVE-2024-12313, published on 2025-01-07, is a PHP Object Injection vulnerability (CWE-502) in the Compare Products for WooCommerce plugin for WordPress, affecting all versions up to and including 3.2.1. The flaw stems from deserialization of untrusted input stored in the 'woo_compare_list' cookie, enabling attackers to inject a PHP object.
Unauthenticated attackers can exploit this vulnerability remotely over the network (AV:N) with high attack complexity (AC:H), no required privileges (PR:N), and no user interaction (UI:N), earning a CVSS v3.1 base score of 8.1 due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin, a POP chain introduced by an additional plugin or theme on the target system could allow attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code.
References in the CVE include WordPress plugin trac browser links to vulnerable code in trunk/classes/class-wc-compare-functions.php at lines 219, 237, 256, and 275, along with changeset 3215166, which addresses the deserialization issue.
Details
- CWE(s)