CVE-2024-8922

The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Configurations

Configuration 1 (hide)

cpe:2.3:a:piwebsolution:product_enquiry_for_woocommerce:*:*:*:*:*:wordpress:*:*

History

04 Oct 2024, 19:11

Type Values Removed Values Added
References () https://plugins.trac.wordpress.org/changeset/3155863/enquiry-quotation-for-woocommerce - () https://plugins.trac.wordpress.org/changeset/3155863/enquiry-quotation-for-woocommerce - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/9a485314-cd68-400c-b398-2f8529c6a3ab?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/9a485314-cd68-400c-b398-2f8529c6a3ab?source=cve - Third Party Advisory
CPE cpe:2.3:a:piwebsolution:product_enquiry_for_woocommerce:*:*:*:*:*:wordpress:*:*
First Time Piwebsolution
Piwebsolution product Enquiry For Woocommerce

30 Sep 2024, 12:46

Type Values Removed Values Added
Summary
  • (es) El complemento Product Enquiry for WooCommerce, WooCommerce product catalog para WordPress, es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 2.2.33.32 incluida, a través de la deserialización de entradas no confiables en enquiry_detail.php. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, inyecten un objeto PHP. No hay ninguna cadena POP presente en el software vulnerable. Si hay una cadena POP presente a través de un complemento o tema adicional instalado en el sistema de destino, podría permitir al atacante eliminar archivos arbitrarios, recuperar datos confidenciales o ejecutar código.

27 Sep 2024, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-27 06:15

Updated : 2024-10-04 19:11


NVD link : CVE-2024-8922

Mitre link : CVE-2024-8922

CVE.ORG link : CVE-2024-8922


JSON object : View

Products Affected

piwebsolution

  • product_enquiry_for_woocommerce
CWE
CWE-502

Deserialization of Untrusted Data