CVE-2024-10828

Name of the Vulnerable Software and Affected Versions Advanced Order Export For WooCommerce plugin for WordPress versions up to, and including, 3.5.5

Description The issue concerns PHP Object Injection via deserialization of untrusted input during Order export when the Try to convert serialized values option is enabled. This allows unauthenticated attackers to inject a PHP Object. The presence of a POP chain enables attackers to delete arbitrary files on the server, potentially leading to remote code execution if critical files like wp-config.php are deleted.

Recommendations For versions up to, and including, 3.5.5, update to the latest version to protect your site. As a temporary workaround, consider disabling the Try to convert serialized values option until a patch is available. Restrict access to sensitive files on the server to minimize the risk of exploitation.