CVE-2023-49777: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2023-49777) was discovered in YITH WooCommerce Product Add-Ons plugin versions up to 4.3.0. The vulnerability was disclosed on December 31, 2023, affecting the free version of the plugin for WordPress (NVD, WPScan).

The vulnerability exists in the 'saveaddon' function where untrusted input can be deserialized, potentially leading to PHP Object Injection. The issue received a CVSS v3.1 base score of 8.8 (HIGH) from NVD and 9.1 (CRITICAL) from Patchstack. While no POP (Property-Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes on the target system, it could enable more severe exploitation ([Patchstack](https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-extra-options-plugin-4-3-0-php-object-injection-vulnerability?s_id=cve)).

The vulnerability could allow authenticated attackers with Shop Manager privileges or higher to inject PHP objects. If exploited successfully in conjunction with a POP chain from other installed components, this could lead to arbitrary file deletion, sensitive data retrieval, or code execution (WPScan).

The vulnerability has been patched in version 4.3.1 of the YITH WooCommerce Product Add-Ons plugin. Users are advised to update to this version or later immediately. Patchstack has also issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).