CVE-2024-1773
EUVD-2024-1749807.03.2024, 19:15
The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| acowebs | pdf_invoices_and_packing_slips_for_woocommerce | 𝑥 < 1.3.8 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| acowebs | pdf_invoices_and_packing_slips | 𝑥 ≤ 1.3.7 | ADP |
Common Weakness Enumeration
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
References