CVE-2024-8922

Name of the Vulnerable Software and Affected Versions: The Product Enquiry for WooCommerce versions up to, and including, 2.2.33.32

Description: The vulnerability concerns PHP Object Injection via deserialization of untrusted input in enquiry detail.php. This allows authenticated attackers with Author-level access and above to inject a PHP Object. No known POP chain is present in the vulnerable software, but if a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations: For versions up to, and including, 2.2.33.32, update to a version that fixes the PHP Object Injection issue. As a temporary workaround, consider restricting access to the enquiry detail.php file until a patch is available. Avoid using untrusted input in the enquiry detail.php file to minimize the risk of exploitation.