vulnerability

WordPress Plugin: woocommerce: CVE-2017-18356: Improper Control of Generation of Code ('Code Injection')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:S/C:P/I:P/A:P)	Nov 16, 2017	May 15, 2025	May 15, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:P/A:P)

Published

Nov 16, 2017

Added

May 15, 2025

Modified

May 15, 2025

Description

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.

Solution

woocommerce-plugin-cve-2017-18356

References

URL-https://www.cve.org/CVERecord?id=CVE-2017-18356
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/69fa0b8f-8509-47a8-951a-830271b2b29e?source=api-prod
CVE-2017-18356
https://attackerkb.com/topics/CVE-2017-18356

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today