CVE-2024-4371: 
WordPress vulnerability analysis and mitigation

The CoDesigner WooCommerce Builder for Elementor plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-4371) affecting all versions up to and including 4.4.1. The vulnerability was discovered and disclosed in June 2024, impacting WordPress installations using this plugin (NVD).

The vulnerability stems from the insecure deserialization of untrusted input from the recently_viewed_products cookie. This implementation allows unauthenticated attackers to inject PHP Objects. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Wordfence assigned a score of 9.0 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable plugin itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code on the affected system (NVD).

Users should upgrade to version 4.5 or later of the CoDesigner WooCommerce Builder for Elementor plugin to address this vulnerability (NVD).