CVE-2024-12721
📋 TL;DR
This vulnerability allows authenticated attackers with Shop Manager or higher privileges to perform PHP object injection via the 'wb_custom_tabs' parameter in the Custom Product Tabs For WooCommerce WordPress plugin. While no known POP chain exists in the vulnerable plugin itself, if another plugin or theme provides a suitable POP chain, attackers could execute arbitrary code, delete files, or access sensitive data. Only WordPress sites using this specific plugin are affected.
💻 Affected Systems
- Custom Product Tabs For WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If combined with a suitable POP chain from another plugin/theme, attackers could achieve remote code execution, delete critical files, or exfiltrate sensitive data including database credentials and user information.
Likely Case
Limited impact due to requirement for Shop Manager+ authentication and lack of known POP chain in the vulnerable plugin itself. Most likely exploitation would require attacker to first compromise a Shop Manager account.
If Mitigated
With proper access controls and no vulnerable POP chains in other plugins/themes, impact is limited to potential denial of service or minor data corruption.
🎯 Exploit Status
Exploitation requires: 1) Valid Shop Manager+ credentials, 2) A suitable POP chain from another plugin/theme, 3) Knowledge of the vulnerability. No public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wb-custom-product-tabs-for-woocommerce/trunk/includes/class-wb-custom-product-tabs-for-woocommerce.php#L366
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Custom Product Tabs For WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.2.5+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate wb-custom-product-tabs-for-woocommerce
Restrict Shop Manager access
allReview and minimize Shop Manager accounts, implement strong authentication
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing serialized PHP objects in the wb_custom_tabs parameter
- Enable WordPress security plugins that detect and block PHP object injection attempts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin: Plugins → Installed Plugins → Custom Product Tabs For WooCommerce. If version is 1.2.4 or lower, you are vulnerable.Check Version:
wp plugin get wb-custom-product-tabs-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.2.5 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- POST requests to WordPress admin-ajax.php or admin-post.php containing 'wb_custom_tabs' parameter with serialized data
- PHP errors related to unserialize() or object injection in WordPress debug logs
Network Indicators:
- HTTP POST requests with serialized PHP objects in parameters
- Unusual admin-ajax.php requests from Shop Manager accounts
SIEM Query:
source="wordpress.log" AND "wb_custom_tabs" AND ("unserialize" OR "O:" OR "C:")