In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
References
Link | Resource |
---|---|
https://blog.ripstech.com/2018/woocommerce-php-object-injection/ | Exploit Third Party Advisory |
https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/ | Release Notes |
https://blog.ripstech.com/2018/woocommerce-php-object-injection/ | Exploit Third Party Advisory |
https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/ | Release Notes |
Configurations
History
21 Nov 2024, 03:19
Type | Values Removed | Values Added |
---|---|---|
References | () https://blog.ripstech.com/2018/woocommerce-php-object-injection/ - Exploit, Third Party Advisory | |
References | () https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/ - Release Notes |
17 Oct 2024, 12:32
Type | Values Removed | Values Added |
---|---|---|
First Time |
Woocommerce woocommerce
Woocommerce |
|
CPE | cpe:2.3:a:woocommerce:woocommerce:*:*:*:*:*:wordpress:*:* |
Information
Published : 2019-01-15 16:29
Updated : 2024-11-21 03:19
NVD link : CVE-2017-18356
Mitre link : CVE-2017-18356
CVE.ORG link : CVE-2017-18356
JSON object : View
Products Affected
woocommerce
- woocommerce
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')