Product Import Export for WooCommerce PHP Object Injection Vulnerability

A PHP object injection vulnerability has been identified in the Product Import Export for WooCommerce - Import Export Product CSV Suite plugin for WordPress, affecting all versions through 2.5.0. The vulnerability arises from the deserialization of untrusted data in the 'form_data' parameter, allowing authenticated attackers with Administrator-level access to inject PHP objects. However, this vulnerability has no impact on its own, as there is no known object injection chain in the vulnerable software. The issue could be exploited if another plugin or theme with a suitable object injection chain is installed, potentially leading to unauthorized actions such as deleting files, accessing sensitive information, or executing arbitrary code, depending on the nature of the injected object and the available injection chain.

Impact

Exploitation of this vulnerability could lead to PHP object injection, allowing for manipulation of object properties and methods. If an object injection chain is available through another plugin or theme, it could result in more severe consequences, such as arbitrary file deletion, unauthorized access to sensitive data, or execution of malicious code.

Reproduction

The vulnerability can be reproduced by sending a POST request to the WordPress admin with the 'form_data' parameter containing serialized data that, when deserialized, injects a PHP object. This can be done using a variety of tools that allow for crafting and sending custom HTTP requests, such as Postman or a simple cURL command. The request must be made by a user with Administrator privileges.

Remediation

Users are advised to update the Product Import Export for WooCommerce - Import Export Product CSV Suite plugin to version 2.5.1 or later.