Custom Product Tabs Lite for WooCommerce PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Custom Product Tabs Lite for WooCommerce plugin for WordPress, affecting all versions through 1.9.0. The vulnerability arises from the deserialization of untrusted input in the 'frs_woo_product_tabs' parameter. This issue allows authenticated attackers with Shop Manager-level access or higher to inject a PHP object. While the vulnerable software does not have a known object injection chain, such a chain could potentially be exploited if an additional plugin or theme on the target system facilitates it, possibly leading to arbitrary file deletion, sensitive data exposure, or code execution.

Impact

Exploitation of this vulnerability could allow for PHP Object Injection, with the potential for further exploitation if a suitable payload execution chain is available through another plugin or theme.

Reproduction

To reproduce this vulnerability, an authenticated user with Shop Manager-level access or higher can send a request that includes the 'frs_woo_product_tabs' parameter with crafted data that exploits the deserialization process, injecting a PHP object into the application.

Remediation

Users are advised to update the Custom Product Tabs Lite for WooCommerce plugin to version 1.9.1 or later.