CVE-2024-12600
📋 TL;DR
This vulnerability allows authenticated attackers with Shop Manager or higher privileges to perform PHP object injection via the 'frs_woo_product_tabs' parameter in the Custom Product Tabs Lite for WooCommerce WordPress plugin. While no known POP chain exists in the vulnerable plugin itself, if another plugin or theme provides a suitable chain, attackers could delete files, access sensitive data, or execute arbitrary code. Only WordPress sites using this plugin up to version 1.9.0 are affected.
💻 Affected Systems
- Custom Product Tabs Lite for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, or site destruction if a suitable POP chain exists from another plugin/theme.
Likely Case
Limited impact due to requirement for authenticated Shop Manager access and lack of known POP chain in vulnerable plugin - most likely unsuccessful exploitation attempts.
If Mitigated
No impact if plugin is patched or removed, or if proper access controls prevent unauthorized Shop Manager accounts.
🎯 Exploit Status
Exploitation requires authenticated access with Shop Manager privileges and depends on presence of suitable POP chain from other installed plugins/themes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.9.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3226839/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Custom Product Tabs Lite for WooCommerce'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 1.9.1+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
WordPressTemporarily disable or remove the plugin until patched
wp plugin deactivate woocommerce-custom-product-tabs-lite
wp plugin delete woocommerce-custom-product-tabs-lite
Restrict Shop Manager access
allReview and limit Shop Manager accounts to trusted users only
🧯 If You Can't Patch
- Remove the plugin entirely from production systems
- Implement strict access controls and monitor for unauthorized Shop Manager accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Custom Product Tabs Lite for WooCommerce → Version. If version is 1.9.0 or lower, system is vulnerable.Check Version:
wp plugin get woocommerce-custom-product-tabs-lite --field=versionVerify Fix Applied:
Verify plugin version is 1.9.1 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- POST requests containing 'frs_woo_product_tabs' parameter with serialized data
- Unusual activity from Shop Manager accounts
- PHP errors related to unserialize() or object injection
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php or admin-post.php with serialized data in parameters
SIEM Query:
source="wordpress.log" AND "frs_woo_product_tabs" AND ("unserialize" OR "O:")