The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
History

Fri, 04 Oct 2024 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:piwebsolution:product_enquiry_for_woocommerce:*:*:*:*:*:wordpress:*:*

Fri, 27 Sep 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Piwebsolution
Piwebsolution product Enquiry For Woocommerce
CPEs cpe:2.3:a:piwebsolution:product_enquiry_for_woocommerce:*:*:*:*:*:*:*:*
Vendors & Products Piwebsolution
Piwebsolution product Enquiry For Woocommerce
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 27 Sep 2024 05:45:00 +0000

Type Values Removed Values Added
Description The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Title Product Enquiry for WooCommerce <= 2.2.33.33 - Authenticated (Author+) PHP Object Injection in enquiry_detail.php
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-27T05:31:03.421Z

Updated: 2024-09-27T15:16:26.953Z

Reserved: 2024-09-16T23:30:33.859Z

Link: CVE-2024-8922

cve-icon Vulnrichment

Updated: 2024-09-27T15:06:44.673Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-27T06:15:12.817

Modified: 2024-10-04T19:11:47.217

Link: CVE-2024-8922

cve-icon Redhat

No data.