CVE-2024-1773

2024-03-0719:15:11

Wordfence

web.nvd.nist.gov

cve-2024-1773

wordpress

woocommerce

plugin

vulnerability

php

object injection

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

Percentile

15.5%

JSON

The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affected configurations

Vulners

Vulnrichment

Node

acowebsproduct_labels_for_woocommerce_\(sale_badges\)Range≤1.3.7wordpress

VendorProductVersionCPE
acowebsproduct_labels_for_woocommerce_\(sale_badges\)*cpe:2.3:a:acowebs:product_labels_for_woocommerce_\(sale_badges\):*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
acowebs	product_labels_for_woocommerce_\(sale_badges\)	*	cpe:2.3:a:acowebs:product_labels_for_woocommerce_\(sale_badges\)::::::wordpress::*

CNA Affected

[
  {
    "vendor": "acowebs",
    "product": "PDF Invoices and Packing Slips For WooCommerce",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.3.7",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]