CVE-2024-4371
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform PHP object injection via the recently_viewed_products cookie in the CoDesigner WooCommerce Builder for Elementor WordPress plugin. If a POP chain exists through other installed plugins or themes, attackers could delete files, steal data, or execute code. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- CoDesigner WooCommerce Builder for Elementor WordPress plugin
📦 What is this software?
Codesigner by Codexpert
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, and server takeover if a suitable POP chain exists in the environment.
Likely Case
Limited impact due to no known POP chain in the vulnerable plugin itself, but potential for data exposure or file deletion if other vulnerable components are present.
If Mitigated
No impact if plugin is patched or removed, or if no other vulnerable plugins/themes provide POP chains.
🎯 Exploit Status
Exploitation requires crafting malicious serialized objects and depends on available POP chains in the environment.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3099922%40woolementor&new=3099922%40woolementor
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'CoDesigner WooCommerce Builder for Elementor'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the plugin until patched
wp plugin deactivate woolementor
Block malicious cookies
linuxBlock requests with suspicious recently_viewed_products cookie content
SecRule ARGS:recently_viewed_products "@rx (?:O|C):\d+" "id:1001,phase:2,deny,status:403,msg:'PHP Object Injection attempt'"
Add to .htaccess: SetEnvIf Cookie "recently_viewed_products=.*[OoCc]:\d+.*" block_cookie
🧯 If You Can't Patch
- Remove the plugin entirely if not essential
- Implement strict WAF rules to block serialized objects in cookies
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins, or run: wp plugin get woolementor --field=versionCheck Version:
wp plugin get woolementor --field=versionVerify Fix Applied:
Confirm plugin version is 4.4.2 or higher, and test that recently_viewed_products cookie handling no longer uses unsafe deserialization📡 Detection & Monitoring
Log Indicators:
- Unusual PHP errors related to unserialize()
- Suspicious cookie values in access logs
- Failed deserialization attempts
Network Indicators:
- HTTP requests with unusually long or structured recently_viewed_products cookie values
- Patterns matching serialized PHP objects in cookie data
SIEM Query:
source="web_access_logs" AND cookie="*recently_viewed_products=*O:*" OR cookie="*recently_viewed_products=*C:*"🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3099922%40woolementor&new=3099922%40woolementor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1e5131a-9e72-441d-971c-8b9af35cf3f7?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3099922%40woolementor&new=3099922%40woolementor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1e5131a-9e72-441d-971c-8b9af35cf3f7?source=cve
