The vulnerability identified as CVE-2024-12600 affects the Custom Product Tabs Lite for WooCommerce plugin for WordPress, specifically versions up to and including 1.9.0. It is categorized under CWE-502, which pertains to deserialization of untrusted data. The flaw arises from the plugin's handling of the 'frs_woo_product_tabs' parameter, which accepts serialized PHP objects without proper validation or sanitization. An attacker with authenticated access at the Shop Manager level or higher can supply crafted serialized data to inject PHP objects. Although the plugin itself lacks a direct POP chain to exploit this injection for malicious actions, the presence of other plugins or themes that provide exploitable POP chains can enable attackers to perform dangerous operations such as arbitrary file deletion, data exfiltration, or remote code execution. The vulnerability is remotely exploitable over the network (AV:N), requires low attack complexity (AC:L), but does require privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), resulting in a CVSS 3.1 base score of 7.2. No patches are currently linked, and no active exploits have been reported, but the risk remains significant due to the potential severity of impact and the widespread use of WooCommerce in e-commerce environments.

This vulnerability poses a serious risk to organizations running WooCommerce stores with the affected plugin. An attacker with Shop Manager-level access—which is a common role for store administrators and trusted personnel—can leverage this flaw to inject malicious PHP objects. If additional plugins or themes on the target system provide exploitable POP chains, attackers could escalate the attack to delete critical files, exfiltrate sensitive customer or business data, or execute arbitrary code on the server. This can lead to full system compromise, data breaches, loss of customer trust, financial damage, and disruption of e-commerce operations. Since WooCommerce powers a significant portion of online stores worldwide, the potential attack surface is large. The requirement for authenticated access limits the attack vector but does not eliminate risk, especially in environments with weak internal controls or compromised credentials. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread exploitation occurs.

Organizations should immediately audit their WordPress installations to identify the presence of the Custom Product Tabs Lite for WooCommerce plugin and verify its version. Until an official patch is released, consider the following mitigations: restrict Shop Manager and higher roles to trusted personnel only and review user privileges to minimize unnecessary access; implement strict input validation and sanitization at the web application firewall (WAF) level to detect and block suspicious serialized payloads targeting the 'frs_woo_product_tabs' parameter; disable or remove unnecessary plugins and themes that could provide POP chains, reducing the attack surface; monitor logs for unusual activity related to plugin parameters or privilege escalation attempts; enforce strong authentication mechanisms including multi-factor authentication (MFA) for all administrative roles; and maintain regular backups to enable recovery in case of compromise. Once a patch becomes available, apply it promptly. Additionally, consider isolating the WooCommerce environment to limit lateral movement in case of exploitation.