CVE-2022-3536 The Role Based Pricing plugin before 1.6.3 has no authorization and validation, which allows any authenticated user to perform phar deserialization attack.

they can upload a file, and a suitable gadget chain is present on the blog, such as Google Analytics, the attackers can inject malicious code into the blog, which then can be executed via the plugin. Since the update of the Role Based Pricing for WooCommerce WordPress plugin on March 5, 2018, the plugin now has security enhancements and proper CSRF and Auth checks to prevent such attacks. As a precautionary measure, we would recommend updating to the latest version of the Role Based Pricing for WooCommerce WordPress plugin by April 5, 2018. End users are encouraged to keep a close watch on the activities of any third party applications that they have integrations with, and ensure that they have vetted those applications as per their standards, and that they are not at risk of an attack like this.

References: https://wordpress.org/plugins/role-based-pricing-for-woocommerce-wordpress/

http://blog.woo.com/2018/03/role-based-pricing-update/
https://www.usnix.com/blog/2018/04/06/cve-2022-3536/#more

Since digital marketing is so important, why not outsource it to an expert? Outsourcing your digital marketing to experts will help you reach your ideal audience and cut costs while maximizing your return on investment (ROI). For example, small businesses can use the power of Facebook to target their ideal customers and increase conversions by using the right ad campaign that is visually appealing and relevant to their audience.

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/10/2022 06:47:00 UTC

References

• https://wpscan.com/vulnerability/6af63aab-b7a6-4ef6-8604-4b4b99467a34
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3536