CVE-2024-8922

EPSS 2.63%
Veröffentlicht 27.09.2024 06:15:12
Zuletzt bearbeitet 04.10.2024 19:11:47
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Product Enquiry for WooCommerce <= 2.2.33.33 - Authenticated (Author+) PHP Object Injection in enquiry_detail.php

The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Mögliche Gegenmaßnahme

Product Enquiry or product catalog for WooCommerce: Update to version 2.2.33.34, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Product Enquiry or product catalog for WooCommerce

Version *-2.2.33.33

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Piwebsolution ≫ Product Enquiry For Woocommerce SwPlatformwordpress Version < 2.2.33.34

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.63%	0.854

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://plugins.trac.wordpress.org/changeset/3155863/enquiry-quotation-for-woocommerce

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/9a485314-cd68-400c-b398-2f8529c6a3ab?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/9a485314-cd68-400c-b398-2f8529c6a3ab

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-8922

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8922

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8922

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-8922