Yikes Custom Product Tabs for WooCommerce PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Yikes Custom Product Tabs for WooCommerce plugin for WordPress, affecting all versions through 1.8.5. The vulnerability arises from the deserialization of untrusted data in the 'yikes_woo_products_tabs' post meta parameter. This flaw allows authenticated attackers with Shop Manager-level access or higher to inject a PHP object. While the vulnerable plugin does not have a known object injection chain, such a chain could potentially be exploited if an additional plugin or theme on the target system provides one, possibly leading to arbitrary file deletion, sensitive data exposure, or code execution.

Impact

Exploitation of this vulnerability could result in PHP Object Injection, allowing for the injection of malicious objects that could be exploited if a suitable payload execution chain is available.

Reproduction

To reproduce this vulnerability, an authenticated user with Shop Manager-level access or higher can send a request that includes a crafted 'yikes_woo_products_tabs' post meta parameter. The untrusted input will be deserialized by the plugin, leading to PHP Object Injection.

Remediation

Users are advised to update the Yikes Custom Product Tabs for WooCommerce plugin to version 1.8.6 or later.