vulnerability

WordPress Plugin: woocommerce: CVE-2017-18356: Improper Control of Generation of Code ('Code Injection')

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Nov 16, 2017

Added

May 15, 2025

Modified

May 5, 2026

Description

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.

Solution

woocommerce-plugin-cve-2017-18356

References

https://www.cve.org/CVERecord?id=CVE-2017-18356
https://www.wordfence.com/threat-intel/vulnerabilities/id/69fa0b8f-8509-47a8-951a-830271b2b29e?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2017-9476
CVE-2017-18356
https://attackerkb.com/topics/CVE-2017-18356
CWE-94
EUVD-EUVD-2017-9476

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report