The vulnerability is only present in websites using WooCommerce previous to version 2.3.11, which contains the patch, and when the “PayPal Identity Token” option is set. Depending on the environment the website is running in, through this Object Injection Vulnerability an attacker could do various things, including downloading critical files like wp-config.php, which in turn results to full site compromise.
Details of the Vulnerability
Let’s have a look at the technical details of the WooCommerce vulnerability, starting from the classification.
Exploitation Level: Easy/Remote
DREAD Score: 8/10
Vulnerability: Object Injection
Patched Version: 2.3.11
The problem sits in the
get_paypal_order() method of the
WC_Gateway_Paypal_Response class, which calls the
maybe_unserialize() WordPress function passing it the
$custom function parameter, without sanitizing it. If this parameter contains user input, it can be used in Object Injection attacks.
get_paypal_order() method is used with variables that take value from the ‘cm’ request parameter (direct user input!), so anyone that can access the page where this code is executed (the plugin’s order-received page with some specific parameters set) can use this vector to potentially modify the application’s execution flow.
Are you at risk?
The vulnerability is present most likely starting from version 2.0.20 up to 2.3.10. If you are in that range, it’s better for you to update the plugin to version 2.3.11 and stay safe.
The second thing you can do (if you, for some reasons, cannot update the plugin immediately) is having a look at WooCommerce > Settings > Checkout, scroll down to the Gateway Display Order option, and click the “Settings” button near the “PayPal” gateway. If the PayPal Identity Token setting is set, you are vulnerable.