CVE-2023-51505: 
NixOS vulnerability analysis and mitigation

The Active Products Tables for WooCommerce plugin for WordPress contains a Deserialization of Untrusted Data vulnerability (CVE-2023-51505) affecting versions up to and including 1.0.6. The vulnerability was discovered and disclosed on December 27, 2023, and a fix was released in version 1.0.6.1 (WPScan, Patchstack).

The vulnerability is classified as a PHP Object Injection vulnerability (CWE-502) that occurs through deserialization of untrusted input. It has received a Critical CVSS v3.1 base score of 9.8 (NIST) and 10.0 (Patchstack), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to inject PHP Objects. If a POP (Property-Oriented Programming) chain is present via additional plugins or themes on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute malicious code (WPScan).

Users are strongly advised to update to version 1.0.6.1 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to a fixed version (Patchstack).