Wordpress plugin WOOF - Admin + PHP Object Injection

Wordpress plugin WOOF - Admin + PHP Object Injection 


Wordpress plugin named woocommerce-product-filter, version < 1.3.2 was affected by PHP Object Injection vulnerability. It may enable high privilege users such as admin to insert and execute arbitrary code. The resulting vulnerability was due to unserialization of user supplied input through settings in wordpress. 

Woocommerce plugin Product filter is a product search plugin for WooCommerce which allows users to filter products by categories, attributes, products tags, products custom taxonomies and price. The plugin made use of the unserialize() PHP function which is vulnerable if user input is not properly sanitized before being sent to it. Since PHP supports object serialization, attackers might inject arbitrary PHP objects into the application scope by passing ad-hoc serialized strings to a susceptible unserialize() method. Vulnerability was fixed in the latest plugin version, 1.3.2. 

Affected Version : 

  • < 1.3.2


  • CVE-2022-4489



  • High privilege users such as admin can insert and execute arbitrary PHP code.


  • Update to latest non-vulnerable version of plugin, 1.3.2

  • Do not use unserialize() function with user-supplied input, use JSON functions instead

Rajani Shrestha 17 January, 2023
Share this post
Sign in to leave a comment

Control Web Panel - Remote Code Execution Vulnerability