CVE-2017-18356
N/A
N/A
Summary
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://blog.ripstech.com/2018/woocommerce-php-object-injection/
- https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/
References
- https://blog.ripstech.com/2018/woocommerce-php-object-injection/
- https://woocommerce.wordpress.com/2017/11/16/woocommerce-3-2-4-security-fix-release-notes/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.