CVE-2025-0956
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-0956 is a PHP Object Injection vulnerability (CWE-502) affecting the WooCommerce Recover Abandoned Cart plugin for WordPress in all versions up to and including 24.4.0. The issue arises from deserialization of untrusted input stored in the 'raccookie_guest_email' cookie, enabling attackers to inject arbitrary PHP objects. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts under specific conditions.
Unauthenticated attackers can exploit this vulnerability remotely without privileges by crafting a malicious 'raccookie_guest_email' cookie. However, the vulnerable plugin itself contains no known Property-Oriented Programming (POP) chain, rendering it ineffective in isolation. Exploitation requires a separate plugin or theme on the target site that provides a POP chain, potentially allowing attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code depending on the chain's capabilities.
Advisories detailing the vulnerability are available from Wordfence and the plugin's CodeCanyon listing. No specific patch information or mitigation steps are outlined in the CVE description.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated PHP object injection vulnerability in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications for initial access and potential arbitrary code execution or data manipulation.