Vulnerability Description
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Algolplus | Advanced Order Export For Woocommerce | < 3.5.6 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/woo-order-export-lite/trunk/classes/PProduct
- https://plugins.trac.wordpress.org/browser/woo-order-export-lite/trunk/classes/cProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a1c6eed6-7b3f-4b37-85fThird Party Advisory
FAQ
What is CVE-2024-10828?
CVE-2024-10828 is a vulnerability with a CVSS score of 8.1 (HIGH). The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order exp...
How severe is CVE-2024-10828?
CVE-2024-10828 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-10828?
Check the references section above for vendor advisories and patch information. Affected products include: Algolplus Advanced Order Export For Woocommerce.