CVE-2023-32795: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2023-32795) was discovered in WooCommerce Product Add-Ons plugin affecting versions through 6.1.3. The vulnerability was reported on April 4, 2023, by Rafie Muhammad and publicly disclosed on May 15, 2023 (Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability through deserialization of untrusted input. It received a CVSS v3.1 base score of 7.2 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a score of 8.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L. The vulnerability is identified under CWE-502 (Deserialization of Untrusted Data) (NVD, WPScan).

The vulnerability could potentially allow attackers to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present in the system. If a POP chain exists via additional plugins or themes, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code (Patchstack).

The vulnerability has been fixed in version 6.2.0 of the WooCommerce Product Add-ons plugin. Users are advised to update to version 6.2.0 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).