CVE-2022-3536

Name of the Vulnerable Software and Affected Versions Role Based Pricing for WooCommerce WordPress plugin versions prior to 1.6.3

Description The issue concerns a lack of authorization and proper CSRF checks, as well as inadequate validation of paths provided via user input. This allows authenticated users, such as subscribers, to perform PHAR deserialization attacks if they can upload a file and a suitable gadget chain is present on the blog.

Recommendations For versions prior to 1.6.3, update to version 1.6.3 or later to resolve the issue. As a temporary workaround, consider restricting file upload capabilities for authenticated users like subscribers to minimize the risk of exploitation.