Object Injection Vulnerability in WooCommerce


Sucuri found an Object Injection Vulnerability in WooCommerce which can be used by an attacker to download any file on the vulnerable server.

The vulnerability is only present in websites using WooCommerce previous to version 2.3.11, which contains the patch, and when the “PayPal Identity Token” option is set. Depending on the environment the website is running in, through this Object Injection Vulnerability an attacker could do various things, including downloading critical files like wp-config.php, which in turn results to full site compromise.

Details of the Vulnerability

Let’s have a look at the technical details of the WooCommerce vulnerability, starting from the classification.

Vulnerability Details
Security Risk: Dangerous
Exploitation Level: Easy/Remote
DREAD Score: 8/10
Vulnerability: Object Injection
Patched Version: 2.3.11

The problem sits in the get_paypal_order() method of the WC_Gateway_Paypal_Response class, which calls the maybe_unserialize() WordPress function passing it the $custom function parameter, without sanitizing it. If this parameter contains user input, it can be used in Object Injection attacks.


The get_paypal_order() method

The get_paypal_order() method is used with variables that take value from the ‘cm’ request parameter (direct user input!), so anyone that can access the page where this code is executed (the plugin’s order-received page with some specific parameters set) can use this vector to potentially modify the application’s execution flow.


The check_reponse() method

Are you at risk?

The vulnerability is present most likely starting from version 2.0.20 up to 2.3.10. If you are in that range, it’s better for you to update the plugin to version 2.3.11 and stay safe.

The second thing you can do (if you, for some reasons, cannot update the plugin immediately) is having a look at WooCommerce > Settings > Checkout, scroll down to the Gateway Display Order option, and click the “Settings” button near the “PayPal” gateway. If the PayPal Identity Token setting is set, you are vulnerable.

Update as soon as possible!

CC BY-SA 4.0 Object Injection Vulnerability in WooCommerce by Mattia Migliorini is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Web Designer freelance, Ubuntu Member, Linux evangelist. Loves working on clear and minimal designs and wants to create beautiful things for different devices.

deshack wrote 82 posts

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>