Vulnerabilities and security researches forwoocommerce-custom-product-tabs-lite woocommerce-custom-product-tabs-lite

Jun 07, 2024

CVE, Research URL: 92356af81b7ddd7979c0827310900e75d252851f
Home page URL: Security reports for Custom Product Tabs Lite for WooCommerce
Application: Custom Product Tabs Lite for WooCommerce
Date: Aug 07, 2022
Research Description: Custom Product Tabs Lite for WooCommerce [woocommerce-custom-product-tabs-lite] < 1.7.7 (closed) Custom Product Tabs Lite for WooCommerce <= 1.7.6 - Authenticated (Store Manager+) Stored Cross-Site Scripting The Custom Product Tabs Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wc_custom_product_tabs_lite_tab_title' parameter in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 1.7.7.
Status: vulnerable

Jan 27, 2025

CVE, Research URL: CVE-2024-12600
Home page URL: Security reports for Custom Product Tabs Lite for WooCommerce
Application: Custom Product Tabs Lite for WooCommerce
Date: Jan 25, 2025
Research Description: The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: max 1.9.1.
Status: vulnerable