Impact
The WooCommerce Product Filters plugin for WordPress includes a PHP Object Injection flaw in versions older than 2.0.6. This weakness allows a hostile input containing a serialized PHP object to be processed without authentication or input validation. When such an object is deserialized, arbitrary PHP objects can be instantiated and their constructor or magic methods may be invoked, ultimately enabling the attacker to execute arbitrary code within the web application’s context. The vulnerability is classified under CWE-502, indicating improper deserialization handling.
Affected Systems
Every WordPress site that has the WooCommerce Product Filters plugin from Barn2 Media Ltd installed at a version earlier than 2.0.6 is impacted. The flaw resides solely within the plugin, so WordPress core and other plugins are not directly affected. Sites that rely on the plugin for product filtering are therefore exposed.
Risk and Exploitability
The CVSS score of 9.8 denotes critical severity, and the EPSS score is not available, leaving the precise probability of exploitation unknown but potentially high. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an unauthenticated attacker can send a crafted serialized object to one of the plugin’s input endpoints via an HTTP request. Because the plugin processes the payload without authentication or integrity checks, the attacker can achieve full control over PHP object creation and method invocation, enabling remote code execution.
OpenCVE Enrichment