Impact
The Advanced Product Fields plugin for WooCommerce contains a PHP Object Injection flaw that can be triggered via the shop manager interface. A crafted serialized payload may be deserialized by the plugin, allowing an attacker to instantiate arbitrary PHP objects and potentially execute malicious code on the hosting server. This weakness is classified as CWE‑502, which can compromise the confidentiality, integrity, and availability of affected sites.
Affected Systems
The flaw affects installations of the Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce plugin with versions 1.6.19 and earlier. The description does not list additional sub‑versions or patch releases beyond 1.6.19.
Risk and Exploitability
The CVSS base score is 7.2, indicating a high impact when the vulnerability is exploitable. The EPSS score of less than 1 % suggests that the likelihood of active exploitation at the moment is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the typical attack path involves a remote attacker injecting a malicious serialized object through the shop manager input channel, which is then unserialized by the plugin during normal operation.
OpenCVE Enrichment