Tabs for WooCommerce PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Tabs for WooCommerce plugin for WordPress, affecting all versions through 1.0.0. The issue arises from the deserialization of untrusted input in the 'product_has_custom_tabs' function. This vulnerability allows authenticated attackers with Shop Manager-level access or higher to inject a PHP object. However, there is no impact unless another plugin or theme containing a proof-of-concept (POP) chain is installed on the site. If such a POP chain is present, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code, depending on the specific POP chain available.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, allowing for potential exploitation if a suitable POP chain is present through another plugin or theme.

Reproduction

To reproduce this vulnerability, an authenticated user with Shop Manager-level access or higher can create or edit a product. During this process, the 'frs_woo_product_tabs' meta field can be manipulated to include serialized data that, when deserialized by the 'product_has_custom_tabs' function', injects a PHP object into the application. This exploitation requires the presence of an additional plugin or theme that contains a POP chain, which could be used to execute malicious actions on the site.

Remediation

No known patch is available for this vulnerability. It is recommended to review the vulnerability details thoroughly and consider uninstalling the affected plugin.