CVE-2024-11465 – The Custom Product Tabs for WooCommerce WordPre... (How to Fix)

Q: What is the severity of CVE-2024-11465?

CVE-2024-11465 has a CVSS score of 7.2 (HIGH). The Custom Product Tabs for WooCommerce WordPress plugin is vulnerable to PHP object injection via insecure deserialization of the 'yikes_woo_products_tabs' post meta parameter. This allows authenticated attackers with Shop Manager or higher privileges to inject malicious PHP objects. While no known POP chain exists in the vulnerable plugin itself, if combined with other vulnerable plugins/themes, it could lead to arbitrary file deletion, data theft, or remote code execution.

📋 TL;DR

The Custom Product Tabs for WooCommerce WordPress plugin is vulnerable to PHP object injection via insecure deserialization of the 'yikes_woo_products_tabs' post meta parameter. This allows authenticated attackers with Shop Manager or higher privileges to inject malicious PHP objects. While no known POP chain exists in the vulnerable plugin itself, if combined with other vulnerable plugins/themes, it could lead to arbitrary file deletion, data theft, or remote code execution.

💻 Affected Systems

Products:

Custom Product Tabs for WooCommerce WordPress plugin

Versions: All versions up to and including 1.8.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with WooCommerce and the vulnerable plugin installed. Attack requires authenticated user with Shop Manager role or higher.

📦 What is this software?

Custom Product Tabs For Woocommerce by Yikesinc

View all CVEs affecting Custom Product Tabs For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

If combined with a suitable POP chain from another plugin/theme, attackers could achieve remote code execution, arbitrary file deletion, or sensitive data exfiltration, potentially compromising the entire WordPress installation and underlying server.

🟠

Likely Case

Authenticated attackers with Shop Manager privileges could inject PHP objects, but without a POP chain, impact is limited to potential application instability or denial of service. The most probable outcome is reconnaissance for other vulnerabilities to chain.

🟢

If Mitigated

With proper access controls limiting Shop Manager accounts and regular plugin updates, the risk is significantly reduced to minimal impact even if exploited.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and depends on availability of POP chains in other installed components. No known public exploits exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.8.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3159565%40yikes-inc-easy-custom-woocommerce-product-tabs%2Ftrunk&old=3159564%40yikes-inc-easy-custom-woocommerce-product-tabs%2Ftrunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Custom Product Tabs for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.8.6+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Restrict Shop Manager Access

all

Limit the number of users with Shop Manager role and implement strict access controls. Consider using role management plugins to further restrict capabilities.

Disable Plugin

WordPress

Temporarily disable the plugin until patched if custom product tabs are not critical to site functionality.

wp plugin deactivate yikes-inc-easy-custom-woocommerce-product-tabs

🧯 If You Can't Patch

Implement strict access controls to limit Shop Manager accounts to trusted personnel only.
Deploy web application firewall (WAF) rules to block PHP object injection attempts and monitor for suspicious deserialization patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'Custom Product Tabs for WooCommerce'. If version is 1.8.5 or lower, the system is vulnerable.

Check Version:

wp plugin get yikes-inc-easy-custom-woocommerce-product-tabs --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 1.8.6 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress admin endpoints containing serialized data in 'yikes_woo_products_tabs' parameter
PHP errors related to unserialize() or object instantiation in WordPress debug logs

Network Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php or similar endpoints with base64-encoded or serialized data in parameters

SIEM Query:

source="wordpress.log" AND "yikes_woo_products_tabs" AND ("unserialize" OR "O:" OR base64_decode)

📊 Metadata

CVE ID: CVE-2024-11465

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 3.07% exploit probability (86.4th percentile)

Published: January 7, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11465, you might also want to check these: