CVE-2024-8922: 
WordPress vulnerability analysis and mitigation

The Product Enquiry for WooCommerce plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-8922) affecting all versions up to and including 2.2.33.32. The vulnerability was discovered and disclosed in September 2024, impacting WordPress installations using this WooCommerce product catalog plugin (NVD).

The vulnerability exists in the enquiry_detail.php file and involves the deserialization of untrusted input. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Wordfence).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, authenticated attackers with Author-level access or higher could potentially delete arbitrary files, retrieve sensitive data, or execute code (NVD).

The vulnerability has been patched in version 2.2.33.34 of the Product Enquiry for WooCommerce plugin. Users are advised to update to this version or later to mitigate the risk (WordPress Plugin).