CVE-2022-3536 is a critical security vulnerability affecting the Role Based Pricing for WooCommerce WordPress plugin versions prior to 1.6.3. The vulnerability arises from improper authorization and lack of Cross-Site Request Forgery (CSRF) protections, combined with insufficient validation of user-supplied file paths. Specifically, authenticated users with low privileges, such as subscribers, can exploit this flaw to perform PHAR deserialization attacks if they have the ability to upload files and if a suitable gadget chain exists within the WordPress environment. PHAR deserialization attacks exploit the way PHP handles PHAR (PHP Archive) files, allowing attackers to execute arbitrary code by injecting malicious serialized objects. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) and CWE-352 (Cross-Site Request Forgery), highlighting the dual nature of the flaw involving both insecure deserialization and missing CSRF protections. The CVSS v3.1 base score of 8.8 reflects the high severity of this vulnerability, indicating that it can be exploited remotely over the network without user interaction but requires low privileges (authenticated user). Successful exploitation can lead to full compromise of the affected WordPress site, including confidentiality, integrity, and availability impacts. No known public exploits have been reported in the wild as of the publication date, but the presence of this vulnerability in a widely used e-commerce plugin makes it a significant risk. The lack of a patch link suggests that users must upgrade to version 1.6.3 or later where the issue is resolved. Given the plugin's role in managing pricing based on user roles, attackers could manipulate pricing logic or gain administrative control, severely impacting business operations and customer trust.

For European organizations using WooCommerce with the Role Based Pricing plugin, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized code execution on e-commerce platforms, resulting in data breaches involving customer personal and payment information, manipulation of pricing and sales data, and potential site defacement or downtime. Such incidents could violate GDPR requirements for data protection and lead to regulatory penalties. The integrity of pricing mechanisms is critical for business trust and revenue; manipulation could cause financial loss and reputational damage. Additionally, attackers gaining administrative access could deploy further malware or ransomware, amplifying the impact. The vulnerability's exploitation by low-privilege users increases the attack surface, as even subscriber-level accounts can be leveraged. This is particularly concerning for organizations with large user bases or those that allow user registrations without stringent vetting. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially given the high CVSS score and the common use of WooCommerce in Europe’s e-commerce sector.

European organizations should immediately verify if their WooCommerce installations use the Role Based Pricing plugin and confirm the plugin version. If running versions prior to 1.6.3, they must upgrade to 1.6.3 or later where the vulnerability is patched. In addition to patching, organizations should implement strict user role management policies to limit file upload capabilities to trusted users only. Employing Web Application Firewalls (WAFs) with rules to detect and block PHAR deserialization attempts can provide an additional layer of defense. Regularly audit plugin permissions and monitor logs for unusual file uploads or deserialization activities. Implementing Content Security Policies (CSP) and disabling unnecessary PHP functions related to deserialization may reduce exploitation risk. Organizations should also conduct penetration testing focused on deserialization vulnerabilities and CSRF protections in their WordPress environments. Finally, educating site administrators and developers about secure coding practices and the risks of insecure deserialization will help prevent similar issues.