CVE-2024-13831

CVE-2024-13831 is a PHP Object Injection vulnerability (CWE-502) affecting the Tabs for WooCommerce plugin for WordPress in all versions up to and including 1.0.0. The issue arises from deserialization of untrusted input in the 'product_has_custom_tabs' function, enabling the injection of a PHP Object. Published on 2025-02-28 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), it poses a high-impact risk under specific conditions.

Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability over the network with low complexity. While no known Property-Oriented Programming (POP) chain exists within the vulnerable plugin itself—limiting standalone impact—the presence of a POP chain from another installed plugin or theme could allow severe consequences, such as deleting arbitrary files, retrieving sensitive data, or executing arbitrary code, depending on the chain.

Advisories and source code details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/790a2c64-b358-41ed-be17-f2b99d294617?source=cve and the plugin's trac repository at https://plugins.trac.wordpress.org/browser/wc-tabs/trunk/wc-tabs-lite.php#L363, which highlight the deserialization point at line 363.