CVE-2023-49777
📋 TL;DR
This vulnerability allows attackers to execute arbitrary PHP code through insecure deserialization in the YITH WooCommerce Product Add-Ons plugin. It affects WordPress sites using this plugin, potentially leading to complete site compromise. All versions up to 4.3.0 are vulnerable.
💻 Affected Systems
- YITH WooCommerce Product Add-Ons
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server takeover, data theft, malware installation, and website defacement.
Likely Case
Unauthenticated attackers gaining administrative access to WordPress, installing backdoors, and stealing sensitive data.
If Mitigated
Limited impact with proper web application firewalls and restricted file permissions preventing code execution.
🎯 Exploit Status
Public exploit details available. Attack requires no authentication and minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find YITH WooCommerce Product Add-Ons. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.4.0+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate yith-woocommerce-product-add-ons
Web Application Firewall Rule
linuxBlock requests containing serialized PHP objects in POST data.
ModSecurity rule: SecRule ARGS "@rx (O:\d+:\"[a-zA-Z_\\x7f-\\xff][a-zA-Z0-9_\\x7f-\\xff]*\"|a:\d+:{|s:\d+:\")" "id:1001,phase:2,deny,status:403,msg:'PHP Object Injection Attempt'"
🧯 If You Can't Patch
- Implement strict input validation to reject serialized data in user inputs.
- Restrict file permissions and disable dangerous PHP functions like unserialize() via php.ini.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 4.3.0 or lower, you are vulnerable.Check Version:
wp plugin get yith-woocommerce-product-add-ons --field=versionVerify Fix Applied:
Confirm plugin version is 4.4.0 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with serialized data in parameters
- Unexpected PHP errors related to unserialize()
- New admin user creation or privilege escalation
Network Indicators:
- HTTP POST requests containing serialized PHP object patterns (O:8:, a:5:, s:10:)
SIEM Query:
source="*access.log*" AND "POST /wp-admin/admin-ajax.php" AND ("O:\d+:" OR "a:\d+:{" OR "s:\d+:")🔗 References
- https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-extra-options-plugin-4-3-0-php-object-injection-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-extra-options-plugin-4-3-0-php-object-injection-vulnerability?_s_id=cve
