First published: Tue Jan 15 2019(Updated: )
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Automattic Woocommerce | <3.2.4 | |
Woocommerce Woocommerce | <3.2.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-18356 is a vulnerability in the Automattic WooCommerce plugin before version 3.2.4 for WordPress.
The severity of CVE-2017-18356 is high (CVSS score of 8.8).
An attacker can exploit CVE-2017-18356 by gaining access to the target site with a user account that has at least Shop manager privileges and constructing a specifically crafted string that will result in PHP object injection.
The affected software of CVE-2017-18356 is the Automattic WooCommerce plugin before version 3.2.4 for WordPress.
You can fix CVE-2017-18356 by updating your Automattic WooCommerce plugin to version 3.2.4 or higher.