The Custom Product Tabs For WooCommerce plugin for WordPress suffers from a deserialization vulnerability (CWE-502) identified as CVE-2024-12721. This vulnerability arises from unsafe deserialization of untrusted data passed via the 'wb_custom_tabs' parameter, which is processed by the plugin in all versions up to and including 1.2.4. Deserialization of untrusted input can lead to PHP Object Injection, allowing an attacker to inject crafted PHP objects into the application’s runtime. Exploitation requires authenticated access with Shop Manager-level privileges or higher, which is a common role in WooCommerce stores responsible for managing products and orders. Although the plugin itself lacks a direct POP chain to achieve code execution or file manipulation, if other plugins or themes installed on the same WordPress instance contain exploitable POP chains, an attacker could leverage these to perform destructive actions such as arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability affects the confidentiality, integrity, and availability of the affected WordPress sites. The CVSS v3.1 base score is 7.2, reflecting high severity due to network attack vector, low attack complexity, required privileges, and high impact on all security properties. No patches or updates are currently linked, and no known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of unsafe deserialization in WordPress plugins, especially when combined with other vulnerable components.

This vulnerability poses a significant risk to organizations running WooCommerce stores with the vulnerable Custom Product Tabs plugin. An attacker with Shop Manager-level access could exploit this flaw to inject malicious PHP objects, potentially leading to remote code execution, data theft, or destruction of website files if a suitable POP chain exists in the environment. This could result in website defacement, loss of customer trust, leakage of sensitive customer and business data, disruption of e-commerce operations, and financial losses. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Shop Manager accounts may be compromised via phishing or credential reuse. The vulnerability could also be leveraged in multi-stage attacks to escalate privileges or pivot within the hosting environment. Given WooCommerce’s widespread use globally, the impact could be broad, affecting small to large e-commerce businesses that rely on this plugin for product tab customization.

1. Immediately review and restrict Shop Manager-level user accounts to trusted personnel only, enforcing strong authentication and monitoring for suspicious activity. 2. Disable or remove the Custom Product Tabs For WooCommerce plugin if it is not essential to business operations. 3. Monitor for plugin updates or security patches from the vendor and apply them promptly once available. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious deserialization payloads targeting the 'wb_custom_tabs' parameter. 5. Conduct a thorough audit of all installed plugins and themes to identify and remediate any that may provide exploitable POP chains, reducing the risk of chained exploitation. 6. Employ principle of least privilege for all WordPress roles and consider additional hardening measures such as two-factor authentication for privileged accounts. 7. Regularly back up website data and files to enable recovery in case of compromise. 8. Use security plugins that can detect anomalous PHP object injection or deserialization attempts. These measures collectively reduce the likelihood and impact of exploitation beyond generic advice.