WooCommerce Infinite Scroll and Ajax Pagination PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress, affecting all versions through 1.8. The vulnerability arises in the 'import_settings' function, where the 'settings' parameter is deserialized without proper capability checks, allowing authenticated attackers with Subscriber-level access and above to inject PHP objects. While the vulnerable plugin does not contain a proof-of-concept chain, the presence of such a chain in an additional plugin or theme could enable an attacker to delete arbitrary files, access sensitive data, or execute code.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, with potential for file deletion, sensitive data exposure, or arbitrary code execution, depending on the presence of a suitable proof-of-concept chain in the environment.

Remediation

There is no known patch available for this vulnerability. It is recommended to review the vulnerability details thoroughly and consider uninstalling the affected plugin, replacing it with a suitable alternative.