CVE-2017-18356

Name of the Vulnerable Software and Affected Versions WooCommerce plugin versions prior to 3.2.4

Description The issue allows an attack after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker constructs a specifically crafted string that turns into a PHP object injection involving the WC Shortcode Products::get products() function in the includes/shortcodes/class-wc-shortcode-products.php file, which uses cached queries within shortcodes.

Recommendations For versions prior to 3.2.4, update to version 3.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the WC Shortcode Products::get products() function until a patch is available. Additionally, limiting user privileges to below Shop manager may help minimize the risk of exploitation.