CVE-2017-18356

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Configurations

Configuration 1 (hide)

cpe:2.3:a:woocommerce:woocommerce:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 03:19

Type Values Removed Values Added
References () https://blog.ripstech.com/2018/woocommerce-php-object-injection/ - Exploit, Third Party Advisory () https://blog.ripstech.com/2018/woocommerce-php-object-injection/ - Exploit, Third Party Advisory
References () https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/ - Release Notes () https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/ - Release Notes

17 Oct 2024, 12:32

Type Values Removed Values Added
First Time Woocommerce woocommerce
Woocommerce
CPE cpe:2.3:a:automattic:woocommerce:*:*:*:*:*:wordpress:*:* cpe:2.3:a:woocommerce:woocommerce:*:*:*:*:*:wordpress:*:*

Information

Published : 2019-01-15 16:29

Updated : 2024-11-21 03:19


NVD link : CVE-2017-18356

Mitre link : CVE-2017-18356

CVE.ORG link : CVE-2017-18356


JSON object : View

Products Affected

woocommerce

  • woocommerce
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')